Getting Data In

convert time format

Ravan
Path Finder

Hi ,

In splunk query i need to convert time format as below .

Current format - Apr 13 17:58:35

Required Format : 04/13/2012 5:58:35 PM

Tags (1)
1 Solution

kristian_kolb
Ultra Champion

I believe that you'll have to make a two stage operation, first convert your input format to epoch, and the convert it to your desired format.

... | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p")

However, since the data coming in has no year specification, I'm not sure that you would get usable results. It may be that you'll have to make changes to the logging application so that the full date is being logged.

For information regarding strftime and strptime, see;

http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions
http://strftime.org


UPDATE:

Ah, ziegfried has an important point. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the _time field, which is already in epoch.

...| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p")

Hope this helps somewhat anyway,

Kristian

View solution in original post

ziegfried
Influencer

Here is how to create a new field by parsing and formatting a date value using Splunk's eval command:

... | eval newdatefield = strftime( strptime( myolddatefield, "%b %d %H:%M:%S" ), "%m/%d/%Y %I:%M:%S %p")
  • use strptime() to parse a timestamp value
  • use strftime()to format a timestamp value

kristian_kolb
Ultra Champion

I believe that you'll have to make a two stage operation, first convert your input format to epoch, and the convert it to your desired format.

... | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p")

However, since the data coming in has no year specification, I'm not sure that you would get usable results. It may be that you'll have to make changes to the logging application so that the full date is being logged.

For information regarding strftime and strptime, see;

http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions
http://strftime.org


UPDATE:

Ah, ziegfried has an important point. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the _time field, which is already in epoch.

...| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p")

Hope this helps somewhat anyway,

Kristian

inventsekar
Ultra Champion

the docs link seems to be broken,.. hence replying link again..

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/CommonEvalFunctions

 

strftime's "Date and time format variables" docs link...

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Commontimeformatvariables

 

0 Karma

skender27
Contributor

Hi,

I used it for my purposes and it worked.
Thank you very much!

Skender Kollcaku

0 Karma

Ravan
Path Finder

Cool , its working great. Thanks

0 Karma

ziegfried
Influencer

Is it the timestamp, that is recognized by Splunk or do you have an extracted field with this value?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...