Getting Data In

Changing Time Format

ajdyer2000
Engager

Hi,

I have a search that displays the "UserID Expiration Date" field as "12/6/2019 21:01"

I would like to convert this to a format of the field "2019-12-6" (leaving out the time)

I appreciate all the help. This forum is awesome with awesome people.

Alan

Tags (2)
0 Karma

mayurr98
SplunkTrust
SplunkTrust

hey, try this.

index=your_base_search | rex field="UserID Expiration Date" "(?P<Date>[^\s]+)"

This will create Date field which will have the values which you want!

Let me know if this helps you!

0 Karma

somesoni2
Revered Legend

Try like this

your current search with field "UserID Expiration Date"
| eval "UserID Expiration Date"=strftime(strptime('UserID Expiration Date',"%m/%d/%Y %H:%M"),"%Y-%m-%d")

OR

your current search with field "UserID Expiration Date"
| eval "UserID Expiration Date"=replace('UserID Expiration Date',"^(\d+)\/(\d+\/(\d+)(.+)","\3-\1-\2")
0 Karma

micahkemp
Champion

Run anywhere search that shows what you want:

| makeresults | eval expiration_original="12/6/2019 21:01" | eval expiration_new=strftime(strptime(expiration_original, "%m/%d/%Y %H:%M"), "%Y-%m-%d")

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!