https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195776#M56443 <P>Your conversions require that you use the full specification of the timestamp;</P> <P>Tue, 31 Dec 2013 17:48:19 +0000</P> <P>First you need to convert it from string to <CODE>epoch</CODE></P> <PRE><CODE>eval xxx = strptime(your_date_field,"%a, %d %b %Y %H:%M:%S %z") </CODE></PRE> <P>Then you can convert it back into subparts with the <CODE>strftime</CODE> function</P> <PRE><CODE>eval yyy = strftime(xxx,"%d") eval zzz = strftime(xxx,"%m-%d") </CODE></PRE> <P>If the timestamp field you are using for these conversion is the same that is used by Splunk for indexing the event, you can skip the first step and use <CODE>_time</CODE> instead. In this case, you may also have the desired subparts extracted in the various <CODE>date_*</CODE> fields. Beware though, that these are not adjusted for timezone differences.</P> <P>see; </P> <P><A href="http://www.strftime.net">www.strftime.net</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions</A></P> <P>/K</P> Sat, 04 Jan 2014 10:37:37 GMT kristian_kolb 2014-01-04T10:37:37Z https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195774#M56441 <P>We have a field in some of the JSON that that is a string representation of a date. The date is formatted like this:</P> <P>Tue, 31 Dec 2013 17:48:19 +0000</P> <P>How can I convert this string into a date, so that we can parse various parts of the date out at search-time? Currently it seems that we cannot convert it at all, and the resulting fieldname comes out blank. Ex:</P> <PRE><CODE>... | convert timeformat="%Y-%m-%d" ctime(OUR_DATE_FIELD) AS day | table OUR_DATE_FIELD, day ... | convert timeformat="%Y-%m" ctime(OUR_DATE_FIELD) AS month | table OUR_DATE_FIELD, month ... | eval day=strftime(OUR_DATE_FIELD, "%y-%m-%d") | table OUR_DATE_FIELD, day </CODE></PRE> <P>However, if we replace <CODE>OUR_DATE_FIELD</CODE> with _time, it obviously resolves correctly.</P> <P>Inevitably I would like to be able to easily toggle between report types like:</P> <PRE><CODE>... | convert timeformat="%Y-%m-%d" ctime(OUR_DATE_FIELD) AS day | timechart count by day ... | convert timeformat="%Y-%m" ctime(OUR_DATE_FIELD) AS month | timechart count by month </CODE></PRE> Sat, 04 Jan 2014 02:32:39 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195774#M56441 sheanineseven 2014-01-04T02:32:39Z https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195775#M56442 <P>For converting human-readable date strings into epoch time you can use <CODE>eval</CODE>'s <CODE>strptime</CODE> function. Its result can be used in <CODE>strftime</CODE> to get whichever part of the date you need.</P> Sat, 04 Jan 2014 10:16:09 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195775#M56442 martin_mueller 2014-01-04T10:16:09Z https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195776#M56443 <P>Your conversions require that you use the full specification of the timestamp;</P> <P>Tue, 31 Dec 2013 17:48:19 +0000</P> <P>First you need to convert it from string to <CODE>epoch</CODE></P> <PRE><CODE>eval xxx = strptime(your_date_field,"%a, %d %b %Y %H:%M:%S %z") </CODE></PRE> <P>Then you can convert it back into subparts with the <CODE>strftime</CODE> function</P> <PRE><CODE>eval yyy = strftime(xxx,"%d") eval zzz = strftime(xxx,"%m-%d") </CODE></PRE> <P>If the timestamp field you are using for these conversion is the same that is used by Splunk for indexing the event, you can skip the first step and use <CODE>_time</CODE> instead. In this case, you may also have the desired subparts extracted in the various <CODE>date_*</CODE> fields. Beware though, that these are not adjusted for timezone differences.</P> <P>see; </P> <P><A href="http://www.strftime.net">www.strftime.net</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions</A></P> <P>/K</P> Sat, 04 Jan 2014 10:37:37 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Date-Conversion-and-Parsing/m-p/195776#M56443 kristian_kolb 2014-01-04T10:37:37Z