Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time format in DB query result

anoopambli
Communicator
‎12-16-2013 09:12 AM

I am using splunk DB connect to pull out some data to create a dashboard. But having difficulty in getting the time format corrected in search result. The time format looks like in seconds, how do i convert them to Date-Month-year format. Below is the sample of search result, i am trying to get Creation_field and last_update_field time format adjusted.

CREATION_DATE DESCRIPTION LAST_UPDATE_DATE USERNAME
1384405200 xnje411 server monitoring addition 1385010000 Melvin Bolden (a056648)
1384318800 snjw100 server monitoring addition 1385960400 Melvin Bolden (a056648)

Tags (1)
0 Karma
Reply

sroback_splunk
Splunk Employee
Splunk Employee
‎12-16-2013 04:23 PM

You can try to use the | fieldformat command (similar to eval, but applies at field rendering time, so that sort still works correctly) and the strftime() function. For example:

... | fieldformat Creation_field = strftime(Creation_field, “%m-%d-%y”)

See: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat#Examples

Reply

anoopambli
Communicator
‎12-17-2013 07:05 AM

I was able to fix it by using convert command convert timeformat="%b %d, %Y" ctime(OPEN_TIME) AS Open-Date

Reply

anoopambli
Communicator
‎12-17-2013 02:10 AM

I tried using fieldformat option but facing some problem. This is the query i am running

... | fieldformat "OPEN_TIME"=strftime('Open time', "%m-%d-%y")

The result for Open_time field coming up as blank now,

Anything i am doing wrong here??

0 Karma
Reply

aholzer
Motivator
‎12-16-2013 09:26 AM

Look at the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/convert

Or look at the eval function strftime:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Hope this helps

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎12-16-2013 09:19 AM

Hi, you probably just need to make sure that Splunk recognizes that's a time. Here's some tips: http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Configuredatabasemonitoring#About_timestamp...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...