Archive
Highlighted

How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

New Member

Hello,

I have a field name called "openedat" where the date in this field is in text format (YYYY-MM-DD HH:MM:SS). Now, using "openedat" field, I need to create a new field called "month_name" which should display only month in (MMM) format.

Example:- If my date in the field "openedat" is in text format (2017-05-31 10:20:10), then the new field should be populated as "monthname" and it should show the result as "May".

Please help!

Tags (1)
0 Karma
Highlighted

Re: How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

Builder

If you already have a field named opened_at extracted then do it this way -

<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")

Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions

View solution in original post

0 Karma
Highlighted

Re: How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

SplunkTrust
SplunkTrust

A combination of strptime to convert the existing time into an epoch, then a strftime to convert it to the format you want.

... | eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")

Should do it.

A run anywhere example:

| makeresults 
| eval opened_at = "2017-05-31 10:20:10"
| eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")
Highlighted

Re: How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

SplunkTrust
SplunkTrust

Also, "%b" could be used at the end to get the 3-character month abbreviation.

Links for reference:
Eval Date and Time functions
Common Time Format Variables

0 Karma