Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- extract date with characters between
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I try to transform a date string, into a date, to enable splunk to sort it.
Here is a sample :
2013-01-17T09:35:49Z
Hi tried :
eval n=strftime(field, " %Y-%m-%dT%H:%M:%SZ")
But it doesn't work. Why ? What would be the best way to do this ?
Is there a way to automate the conversion at searchtime ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At index Time, splunk is able to reconize Timeformat automatically, is there a way to use the same recognition an search time, with "convert" for example ?
I have 4 different Timeformat for the same field, and I want to be able to convert it in one way...:
2014-08-15T10:13:00+02:00
2014-08-15T10:13:00.000+02:00
2014-08-15T08:41:36Z
2014-08-15T08:41:36.000Z
if I use
| convert auto()
I only get the year...
But somehow Splunk is able to handle this by indexing, maybe a function is missing being able to use it a search time ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was because of a leading space character... it works now, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked fine for me, I think you have an accidental space character before the "%Y" :
...| eval foo="2013-01-17T09:35:49Z" | eval goo=strptime(foo,"%Y-%m-%dT%H:%M:%SZ") | table goo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, thanks, but
eval n=strptime(field, " %Y-%m-%dT%H:%M:%SZ")
still returns no value
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
