Archive

How to convert string date format to other date format?

Engager

I have string like this 08Aug2017 10:12:55 CDT"

I want date format like = 08-Aug-2017 10:12:55 CDT

Tags (1)
0 Karma
1 Solution

Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

And a fourth answer using a different method (only the rex command is really the answer part):

| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"

One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.

Esteemed Legend

The right way to do it is to convert to time_t (AKA "epoch") and KEEP it that way. Then use fieldformat to make it look pretty:

... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")

Super Champion

try this:

|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")

it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Engager

This is work fine. Thanks a lot niletnilay

0 Karma

Legend

Glad it worked. You got plenty of options to choose from 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!