Getting Data In

How to convert my date and time field into a human readable format?

aaronevil
New Member

First, I read similar Question/Answers and was able to follow them for other time formats. These work well but didn't address the specific format my timestamp is in.

Use Case:
I have a field called "StartTime" and it has time in the following format: 2017-02-05T10:02:00.000-0800

I would like this to be converted for all fields so that when I table "StartTime" I get human readable format. I will be doing the same conversion for a field called "EndTime" which is in the same format.

Any help is appreciated.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's already in human-readable format, but if you want to change the format try this:

... | fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | fieldformat EndTime=strftime(strptime(EndTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's already in human-readable format, but if you want to change the format try this:

... | fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | fieldformat EndTime=strftime(strptime(EndTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

aaronevil
New Member

This is actually along the lines of what I was trying initially. When I use fieldformat with strf and strp it removes all data from that field when I table it.

index="my_index"
| dedup key
| search key!=""
| fieldformat "StartTime"=strftime(strptime("StartTime","%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p")
| table key Summary StartTime

Results in StartTime being empty within the table.

0 Karma

splunker1981
Path Finder

Get rid of your quotes

|stats count | fields - count | eval StartTime="2017-02-05T10:02:00.000-0800"
| fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"),"%m-%d-%Y %H:%M %p")
| table StartTime
0 Karma

aaronevil
New Member

Doh. Always the little things. I appreciate the additional eyes.

0 Karma

splunker1981
Path Finder

What do you mean by human readable, can you provide an example of what you'd like the end result to look like

0 Karma

aaronevil
New Member

Something similar to "2-5-2017 10:02 AM" for the example listed above.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...