Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time format in DB query result

anoopambli
Communicator
‎12-16-2013 09:12 AM

I am using splunk DB connect to pull out some data to create a dashboard. But having difficulty in getting the time format corrected in search result. The time format looks like in seconds, how do i convert them to Date-Month-year format. Below is the sample of search result, i am trying to get Creation_field and last_update_field time format adjusted.

CREATION_DATE DESCRIPTION LAST_UPDATE_DATE USERNAME
1384405200 xnje411 server monitoring addition 1385010000 Melvin Bolden (a056648)
1384318800 snjw100 server monitoring addition 1385960400 Melvin Bolden (a056648)

Tags (1)
0 Karma
Reply

sroback_splunk
Splunk Employee
Splunk Employee
‎12-16-2013 04:23 PM

You can try to use the | fieldformat command (similar to eval, but applies at field rendering time, so that sort still works correctly) and the strftime() function. For example:

... | fieldformat Creation_field = strftime(Creation_field, “%m-%d-%y”)

See: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat#Examples

Reply

anoopambli
Communicator
‎12-17-2013 07:05 AM

I was able to fix it by using convert command convert timeformat="%b %d, %Y" ctime(OPEN_TIME) AS Open-Date

Reply

anoopambli
Communicator
‎12-17-2013 02:10 AM

I tried using fieldformat option but facing some problem. This is the query i am running

... | fieldformat "OPEN_TIME"=strftime('Open time', "%m-%d-%y")

The result for Open_time field coming up as blank now,

Anything i am doing wrong here??

0 Karma
Reply

aholzer
Motivator
‎12-16-2013 09:26 AM

Look at the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/convert

Or look at the eval function strftime:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Hope this helps

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎12-16-2013 09:19 AM

Hi, you probably just need to make sure that Splunk recognizes that's a time. Here's some tips: http://docs.splunk.com/Documentation/DBX/1.1.1/DeployDBX/Configuredatabasemonitoring#About_timestamp...

0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...