https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169742#M48516 <P>If your logs are parsed properly, each event will also have a _time field - it appears in the left column when you search. This is the time field that I would use, as it takes into account the fact that different logs and servers may have different timezones.</P> <P>To use it as you described:</P> <PRE><CODE>yoursearchhere | eval TimeOutput=strftime(_time,"%x %r") | fields TimeOutput _raw </CODE></PRE> <P>Although most of the time, Splunk will format the time appropriately for you, depending on the statistics. Exactly what did you want to calculate?<BR /> You can find out more info about strftime by Googling - it is a standard formatting function in many computer languages.</P> Thu, 13 Aug 2015 05:55:30 GMT lguinn2 2015-08-13T05:55:30Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169741#M48515 <P>In my logs that is pulled into Splunk the time is recorded as datetime="2015-08-13 01:43:38" . So when I do a search and go to the statistics tab, the date and time is displayed with the year first, then the month and the date and the time. How can I format the field so that it will be in the following format</P> <P>MM-DD-YYYY 00:00 AM or PM (08-13-2015 01:43 AM)</P> Thu, 13 Aug 2015 02:22:28 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169741#M48515 samble 2015-08-13T02:22:28Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169742#M48516 <P>If your logs are parsed properly, each event will also have a _time field - it appears in the left column when you search. This is the time field that I would use, as it takes into account the fact that different logs and servers may have different timezones.</P> <P>To use it as you described:</P> <PRE><CODE>yoursearchhere | eval TimeOutput=strftime(_time,"%x %r") | fields TimeOutput _raw </CODE></PRE> <P>Although most of the time, Splunk will format the time appropriately for you, depending on the statistics. Exactly what did you want to calculate?<BR /> You can find out more info about strftime by Googling - it is a standard formatting function in many computer languages.</P> Thu, 13 Aug 2015 05:55:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169742#M48516 lguinn2 2015-08-13T05:55:30Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169743#M48517 <P>use</P> <PRE><CODE>| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time | table _time, c_time </CODE></PRE> <P>or</P> <PRE><CODE>| eval strf_time =strftime(_time, "%m-%d-%Y %l:%M %p") | table _time, strf_time </CODE></PRE> <P>This results in </P> <PRE><CODE> 2015-08-13 06:33:17 08-13-2015 6:33 AM </CODE></PRE> <P>There are no leading zeros on the hour. See also <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert</A> and <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions#Date_and_Time_functions" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions#Date_and_Time_functions</A></P> Tue, 29 Sep 2020 06:59:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169743#M48517 FritzWittwer_ol 2020-09-29T06:59:24Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169744#M48518 <P>I do not see _time field as a field that is extracted in the left, but it does use the _time field when displaying the data in the statistics tab. I'm trying to display the temperature in the data closets for a 24 hour period in a dashboard using the time chart function. When I try the above it does display the time correctly ( would be nice if I could display time as 00:00 AM or PM instead and avoid the seconds) but the columns for the cabinets is missing. Now I end up with only 3 columns timeoutput, _raw and time</P> <P>Below is my original search</P> <P>key=Temp | timechart span=30m latest(value) by host limit=0</P> Thu, 13 Aug 2015 11:06:26 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169744#M48518 samble 2015-08-13T11:06:26Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169745#M48519 <P>Do it like this:</P> <PRE><CODE>key=Temp | timechart span=30m latest(value) by host limit=0 | fieldformat _time = strftime(_time,"%x %r") </CODE></PRE> Thu, 13 Aug 2015 12:58:00 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169745#M48519 woodcock 2015-08-13T12:58:00Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169746#M48520 <P>Now it displays all the columns I want, but the time is not displayed correctly, it just has a bunch of characters under the _time column. Below is an example.</P> <P>_time<BR /> 0NaN-NaN-NaN NaN:NaN:NaN</P> Thu, 13 Aug 2015 13:02:27 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169746#M48520 samble 2015-08-13T13:02:27Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169747#M48521 <P>Are you sure you copied it exactly as the answer? I just re-tested it and it works fine. How are your events created (perhaps something is not creating the <CODE>_time</CODE> field correctly because the error is from <CODE>strftime</CODE> saying that it is not finding a number to use N=Not, a=a, N=Number -&gt; NaN -&gt; Not-a-Number.</P> Thu, 13 Aug 2015 13:21:14 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169747#M48521 woodcock 2015-08-13T13:21:14Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169748#M48522 <P>Thank you for taking the time to answer this question. I copied the line above as is in my search window and that is what I got. Below is how the time is displayed in the logs.</P> <P>server host="NOC 06thFL E" address="xxx.xx.xxx.xx" name="WatchDog 15" product-version="1.5.1" mac-address="00:04:A3:C9:BD:CF" datetime="2015-08-13 13:25:58"</P> Thu, 13 Aug 2015 13:39:53 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169748#M48522 samble 2015-08-13T13:39:53Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169749#M48523 <P>The field _time (or any field starting with underscore) is special/internal fields generated by Splunk and will not be visible on the Field sidebar. Also, since this is a special field, the fieldformat does't really changes the format of _time, so what you need to do is to create a new regular field and use that. e.g.</P> <PRE><CODE>key=Temp | timechart span=30m latest(value) by host limit=0 | eval Timestamp=strftime(_time,"%x %r") | fields - _time | table Timestamp * </CODE></PRE> Thu, 13 Aug 2015 15:20:01 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169749#M48523 somesoni2 2015-08-13T15:20:01Z https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169750#M48524 <P>That did the trick, now I have the table in the way it should be. Thanks again.</P> Thu, 13 Aug 2015 15:31:59 GMT https://community.splunk.com/t5/Splunk-Search/how-to-format-date-and-time-in-searches/m-p/169750#M48524 samble 2015-08-13T15:31:59Z