https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86242#M21991 <P>that worked great thank you very much. I read right over the %a function when looking up strptime formats.</P> Tue, 06 Mar 2012 22:42:45 GMT cramasta 2012-03-06T22:42:45Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86240#M21989 <P>So when Splunk admon changed from 4.1.5 to 4.1.6 they also changed how it exacted a timestamp field from AD</P> <P>4.1.5 had fields that looked like this</P> <P>whenChanged=20100128233113.0Z</P> <P>whenCreated=20100128232712.0Z</P> <P>With this format I could create a nice STRPTIME that worked for turning this into timestamp splunk understood</P> <HR /> <P>4.1.6 came out and changed it to this</P> <P>whenCreated=10:15.04 pm, Tue 02/12/2008</P> <P>whenChanged=10:23.00 pm, Tue 02/12/2008</P> <P>In 4.3 ADMON the timestamp is still extracted in the 4.1.6 format</P> <P>Does anyone have any suggestions on how I can create a STRPTIME to recognize this format. I cant seem to figure out a way to get it to understand/ignore the abbreviated days of the week.</P> <P>Thanks,<BR /> J</P> Tue, 06 Mar 2012 22:30:09 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86240#M21989 cramasta 2012-03-06T22:30:09Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86241#M21990 <PRE><CODE>strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y") </CODE></PRE> <P>should work...</P> Tue, 06 Mar 2012 22:37:17 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86241#M21990 lguinn2 2012-03-06T22:37:17Z https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86242#M21991 <P>that worked great thank you very much. I read right over the %a function when looking up strptime formats.</P> Tue, 06 Mar 2012 22:42:45 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-a-STRPTIME/m-p/86242#M21991 cramasta 2012-03-06T22:42:45Z