Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is AM/PM not properly extracted by %p for for 12 hour timestamps?

splunk_worker
Path Finder
‎12-04-2014 09:44 AM 
index=myindex | eval originaltime=strptime(eventTime, "%b %d, %Y %H:%M:%S %p")

Some sample values of eventTime parameter are

Dec 04, 2014 12:31:57 PM
Dec 04, 2014 12:31:58 PM
Dec 04, 2014 12:31:50 PM

Why is %p not recognizing PM? The value of originaltime is always AM. E.g: if the eventTIme is 1:30 PM today, then the originaltime gets the epoch time for 1:30 AM today. Somehow %p is not recognizing %p. Any suggestions??

Splunk verion: 6.1.3

0 Karma
Reply

Anne_Landry
Explorer
‎12-24-2015 03:27 PM

I was having the same issue with the following timestamp on a custom sourcetype: 12:04:36.260353 AM. Using Timestamp format %H:%M:%S.%6N %P was indexing the data as PM for AM. Changed to %I:%M:%S.%6N %P and it now works.

Reply

aaubert
New Member
‎06-11-2015 05:32 AM

I think you must replace the %H by %I

index=myindex | eval originaltime=strptime(eventTime, "%b %d, %Y %I:%M:%S %p")
0 Karma
Reply
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...