Archive

How to convert string date format to other date format?

Engager

I have string like this 08Aug2017 10:12:55 CDT"

I want date format like = 08-Aug-2017 10:12:55 CDT

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

And a fourth answer using a different method (only the rex command is really the answer part):

| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"

One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.

Esteemed Legend

The right way to do it is to convert to time_t (AKA "epoch") and KEEP it that way. Then use fieldformat to make it look pretty:

... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")

Super Champion

try this:

|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")

it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

SplunkTrust
SplunkTrust

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Engager

This is work fine. Thanks a lot niletnilay

0 Karma

SplunkTrust
SplunkTrust

Glad it worked. You got plenty of options to choose from 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma