Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert string date format to other date format?

prabu116
Engager
‎08-08-2017 12:29 AM

I have string like this 08Aug2017 10:12:55 CDT"

I want date format like = 08-Aug-2017 10:12:55 CDT

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-08-2017 04:44 AM

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎08-08-2017 09:18 AM

And a fourth answer using a different method (only the rex command is really the answer part):

| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"

One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-08-2017 07:34 AM

The right way to do it is to convert to time_t (AKA "epoch") and KEEP it that way. Then use fieldformat to make it look pretty:

... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-08-2017 04:45 AM

try this:

|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")

it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-08-2017 04:44 AM

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

prabu116
Engager
‎08-09-2017 05:32 AM

This is work fine. Thanks a lot niletnilay

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-09-2017 08:56 AM

Glad it worked. You got plenty of options to choose from 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...