Getting Data In

How to configure for ISO 8601 date and time display?

pmocek
Explorer

How can I cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601, the international standard for representation of dates and times?

I do not want to specify use of this format for a specific dashboard, view, or report. I do not want to affect the parsing of timestamps when Splunk indexes data. When Splunk formats a numeric representation of date and/or time for presentation to a user (not when it displays raw data), I want it to use the standard format.

I do not believe that I can cause my browser to communicate this style guideline to Splunk, and no option for overriding the browser locale appears to offer this format.

I am using Splunk 5.0.3. My searches of the Web, Splunk's documentation, the Splunk wiki, and this knowledge base, have not turned up a direct solution, though "translating Splunk" (a heavy-handed operation I would prefer to avoid) may be an option.

1 Solution

pmocek
Explorer

Answering my own question: You cannot do that.

View solution in original post

0 Karma

pmocek
Explorer

Answering my own question: You cannot do that.

0 Karma

scentoni_splunk
Splunk Employee
Splunk Employee

This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try
sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time

_time                 iso8601time
2015-06-24 14:01:59 2015-06-24T14:01:59-0700
2015-06-24 14:01:40 2015-06-24T14:01:40-0700
2015-06-24 14:01:31 2015-06-24T14:01:31-0700

MohamedElagamy
Engager

well that's unacceptable, how are we supposed to parse ISO 8601 then ?

0 Karma

darlas
Communicator

I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help.

0 Karma

pmocek
Explorer

This does not appear to cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601.

0 Karma

Dennis
Explorer

Hello darlas,

Was just refreshing my knowledge of the ISO 8601 timestamp format, and read your post from 5 years and 9 months ago.  Don't see that anyone ever responded to your question.

"I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help."

ISO 8610 format:

| eval newtime=strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")

Here is something more human readable friendly without getting to far away from the ISO standard.  Like to change the year with century, %Y, to without century, %y, leave out the T separator and the time zone offset, %z, and add the milliseconds, %3N.  Also, like to add the @ between the date and time strings, but that can be added of removed depending on preference, and horizontal real estate available in the report or dashboard panel. Hope this helps - if you still need help.  😎

| eval newtime=strftime(_time, "%m/%d/%y @ %H:%M:%S.%3N")

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...