topic Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format? in Splunk Search

How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Thu, 11 May 2017 16:21:25 GMT

How to do the time conversion for 2017-04-14T13:52:21.000Z to an understandable format? Any one please tell me the Query. Thanks!

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Thu, 11 May 2017 17:40:40 GMT

Is there a particular format you wanted it in?

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Thu, 11 May 2017 18:00:03 GMT

Try something like this:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"Current format of date/time field"),"Format you want the date/time in") 
| table yourtimefield newformat

Example with current format and new format:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p") 
| table yourtimefield newformat

To help determine your time format, see Date and Time Format Variables documentation: http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Commontimeformatvariables

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Tue, 29 Sep 2020 14:01:47 GMT

Nothing particular I just want it in readable format. What I am trying to do is put the start_date and end_table in the table chat.

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Tue, 29 Sep 2020 14:01:50 GMT

What I am trying to do is put the start_date and end_table(Readable format) in the table chat.

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Tue, 29 Sep 2020 14:01:52 GMT

So, to make sure I understand, you have 2 date/time fields: start_date and end_date, and you want to format them and put them in a table?

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Thu, 11 May 2017 18:12:32 GMT

Yes Exactly

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Thu, 11 May 2017 18:14:58 GMT

I am trying to show the Alert start and end date and time.

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Tue, 29 Sep 2020 14:01:55 GMT

In that case you would use the same method:

[YOUR BASE SEARCH]
| eval start_time=strftime(strptime(startfield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| eval end_time=strftime(strptime(endfield,,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| table start_time end_time

Again, replace the formats I am using with your current and desired format. Does this help?

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Thu, 11 May 2017 18:43:31 GMT

It is not working..Showing empty table with the field name(Start_time)

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Thu, 11 May 2017 18:56:32 GMT

Are you replacing startfield and endfield with your fields, and have you changed the format in the strptime to the current format?

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

woodcock — Thu, 11 May 2017 20:29:19 GMT

Like this:

... | foreach start_date end_table [ eval <<FIELD>> = strptime(<<FIELD>>, "%Y/%m/%dT%H:%M:%S.%3q %Z") | fieldformat <<FIELD>> = strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S") ] | table start_date end_table

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Tue, 29 Sep 2020 14:03:12 GMT

Not working..This are my field names alert_started_at alert_ended_at.

And I am trying to show the alert_started_at alert_ended_at readable format in the table.

Can you please help me with this one?

Thanks

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Tue, 29 Sep 2020 14:03:09 GMT

Try this:

[YOUR BASE SEARCH]
| eval alert_started_at=strftime(strptime(alert_started_at,"%Y-%m-%dT%H:%M:%S.%3q%Z"),"%m/%d/%Y %p") 
| eval alert_ended_at=strftime(strptime(alert_ended_at,"%Y-%m-%dT%H:%M:%S.%3q%Z"),"%m/%d/%Y %p") 
| table alert_started_at alert_ended_at

This will overwrite the original value of alert_started_at and alert_ended_at, so if you want to maintain that original values, you should change the fieldname before the equals to your new field name. Also, the second date format is just an example, use the documentation link from my earlier answer to format the date the way you want it.

The first format should work for your posted date format in your question.

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Fri, 12 May 2017 14:06:42 GMT

Old format : 2017-05-12T13:34:31.000Z

New format(after applying) : 04/12/2017 PM

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Fri, 12 May 2017 14:14:21 GMT

What format would you like it to be in?

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Fri, 12 May 2017 14:19:52 GMT

Like 04/12/2017 T %H:%M:%S PM %Z

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Fri, 12 May 2017 14:22:03 GMT

Change the second format in each eval statement to:

%m/%d/%Y T %H:%M:%S %Z

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

dchalasani — Fri, 12 May 2017 14:26:03 GMT

Worked Thanks!

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

kmorris_splunk — Fri, 12 May 2017 14:27:53 GMT

Great! Glad I could help.