Getting Data In

How to configure for ISO 8601 date and time display?

pmocek
Explorer

How can I cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601, the international standard for representation of dates and times?

I do not want to specify use of this format for a specific dashboard, view, or report. I do not want to affect the parsing of timestamps when Splunk indexes data. When Splunk formats a numeric representation of date and/or time for presentation to a user (not when it displays raw data), I want it to use the standard format.

I do not believe that I can cause my browser to communicate this style guideline to Splunk, and no option for overriding the browser locale appears to offer this format.

I am using Splunk 5.0.3. My searches of the Web, Splunk's documentation, the Splunk wiki, and this knowledge base, have not turned up a direct solution, though "translating Splunk" (a heavy-handed operation I would prefer to avoid) may be an option.

1 Solution

pmocek
Explorer

Answering my own question: You cannot do that.

View solution in original post

0 Karma

pmocek
Explorer

Answering my own question: You cannot do that.

0 Karma

scentoni_splunk
Splunk Employee
Splunk Employee

This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try
sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time

_time                 iso8601time
2015-06-24 14:01:59 2015-06-24T14:01:59-0700
2015-06-24 14:01:40 2015-06-24T14:01:40-0700
2015-06-24 14:01:31 2015-06-24T14:01:31-0700

MohamedElagamy
Engager

well that's unacceptable, how are we supposed to parse ISO 8601 then ?

0 Karma

darlas
Communicator

I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help.

0 Karma

pmocek
Explorer

This does not appear to cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>