How can I cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601, the international standard for representation of dates and times?
I do not want to specify use of this format for a specific dashboard, view, or report. I do not want to affect the parsing of timestamps when Splunk indexes data. When Splunk formats a numeric representation of date and/or time for presentation to a user (not when it displays raw data), I want it to use the standard format.
I do not believe that I can cause my browser to communicate this style guideline to Splunk, and no option for overriding the browser locale appears to offer this format.
I am using Splunk 5.0.3. My searches of the Web, Splunk's documentation, the Splunk wiki, and this knowledge base, have not turned up a direct solution, though "translating Splunk" (a heavy-handed operation I would prefer to avoid) may be an option.
This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try
sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time
_time iso8601time 2015-06-24 14:01:59 2015-06-24T14:01:59-0700 2015-06-24 14:01:40 2015-06-24T14:01:40-0700 2015-06-24 14:01:31 2015-06-24T14:01:31-0700
This does not appear to cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601.
I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help.