Re: Convert Index time

RASHO · ‎04-03-2019

I am trying to change Event time Apr 02, 2019 3:15:34 AM to YYYY-MM-DD HH:MM:SS,sss format.

pruthvikrishnap · ‎04-03-2019

Few things can be done here:
1) Use "convert" in search where you input the current format and can edit the desired output.
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Convert
2) Eval function can also do this
https://answers.splunk.com/answers/728399/how-do-i-convert-the-date-format-in-a-custom-field.html
3) from CLI place below parameter in props.conf
[sourcetype]
TIME_FORMAT = %Y-%m-%d %k:%M:%S
in
C:\Program Files\Splunk\etc\system\local\props.conf

somesoni2 · ‎04-03-2019

In search (converting the date format in search result)??

vnravikumar · ‎04-03-2019

Hi

Are you trying to convert date field to the specified format? Then try this

| makeresults 
| eval source = "Apr 02, 2019 3:15:34 AM" 
| eval epoch =strptime(source,"%b %d, %Y %H:%M:%S %p") 
| eval newdate=strftime(epoch,"%Y-%m-%d %H:%M:%S %p")

If not please explain your requirement in detail.

RASHO · ‎04-03-2019

I am getting events with
Time Event
4/2/19 3:15:34.000 AM Apr 02, 2019 3:15:34 AM xxxxxxxxx

I need to change event time format to YYYY-MM-DD HH:MM:SS,sss

vnravikumar · ‎04-03-2019

hi

check this link

https://answers.splunk.com/answers/148419/how-can-i-change-the-event-time-time-format-in-the-splunk-...

Convert Index time

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!