Converting timestamp to date?

MichaelCohen821 · ‎05-09-2014

Hello Splunk Community

I am trying to convert a timestamp, StartTime (current format: 2014-05-09T19:11:52.5165976Z) in my log file data to a simple DD-MON-YY formatting. I have found a number of solutions in these forums, but I cannot seem to get it to work despite numerous attempts.

My original search is: sourcetype="logfile" Status="*" | chart dc(UserId) by StartTime | SORT dc(UserId) desc

I have tried implementing the following code: strptime(StartTime, "%d-%b-%Y") but this makes the Search fail. I’ve also tried using the eval command, but still no results are returned.

Any help would be greatly appreciated.

Thank you,

Mike

linu1988 · ‎05-09-2014

Hi Mike,
The timeformat looks to be simple which splunk should have read it automatically which will mean Starttime=_time(default eventtime)

if not you need a convertion before make it to your usable format. So it would go like this

|eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|eval StartTime=strftime(StartTime,"%d-%b-%Y")

OR
|eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d-%b-%Y" ctime(StartTime)

Thanks

Converting timestamp to date?

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?

Converting timestamp to date?

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!