How can I cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601, the international standard for representation of dates and times?
I do not want to specify use of this format for a specific dashboard, view, or report. I do not want to affect the parsing of timestamps when Splunk indexes data. When Splunk formats a numeric representation of date and/or time for presentation to a user (not when it displays raw data), I want it to use the standard format.
I do not believe that I can cause my browser to communicate this style guideline to Splunk, and no option for overriding the browser locale appears to offer this format.
I am using Splunk 5.0.3. My searches of the Web, Splunk's documentation, the Splunk wiki, and this knowledge base, have not turned up a direct solution, though "translating Splunk" (a heavy-handed operation I would prefer to avoid) may be an option.
Answering my own question: You cannot do that.
This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try
sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time
_time iso8601time
2015-06-24 14:01:59 2015-06-24T14:01:59-0700
2015-06-24 14:01:40 2015-06-24T14:01:40-0700
2015-06-24 14:01:31 2015-06-24T14:01:31-0700
well that's unacceptable, how are we supposed to parse ISO 8601 then ?
I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help.
This does not appear to cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601.
Hello darlas,
Was just refreshing my knowledge of the ISO 8601 timestamp format, and read your post from 5 years and 9 months ago. Don't see that anyone ever responded to your question.
"I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help."
ISO 8610 format:
| eval newtime=strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")
Here is something more human readable friendly without getting to far away from the ISO standard. Like to change the year with century, %Y, to without century, %y, leave out the T separator and the time zone offset, %z, and add the milliseconds, %3N. Also, like to add the @ between the date and time strings, but that can be added of removed depending on preference, and horizontal real estate available in the report or dashboard panel. Hope this helps - if you still need help. 😎
| eval newtime=strftime(_time, "%m/%d/%y @ %H:%M:%S.%3N")