Solved: Re: extract date with characters between

sbsbb · ‎01-22-2013

I try to transform a date string, into a date, to enable splunk to sort it.

Here is a sample :
2013-01-17T09:35:49Z

Hi tried :
eval n=strftime(field, " %Y-%m-%dT%H:%M:%SZ")

But it doesn't work. Why ? What would be the best way to do this ?
Is there a way to automate the conversion at searchtime ?

Damien_Dallimor · ‎01-22-2013

If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time

View solution in original post

Damien_Dallimor · ‎01-22-2013

If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time

sbsbb · ‎08-15-2014

At index Time, splunk is able to reconize Timeformat automatically, is there a way to use the same recognition an search time, with "convert" for example ?

I have 4 different Timeformat for the same field, and I want to be able to convert it in one way...:
2014-08-15T10:13:00+02:00
2014-08-15T10:13:00.000+02:00
2014-08-15T08:41:36Z
2014-08-15T08:41:36.000Z

if I use
| convert auto()

I only get the year...
But somehow Splunk is able to handle this by indexing, maybe a function is missing being able to use it a search time ?

sbsbb · ‎01-22-2013

It was because of a leading space character... it works now, thanks

Damien_Dallimor · ‎01-22-2013

This worked fine for me, I think you have an accidental space character before the "%Y" :

...| eval foo="2013-01-17T09:35:49Z" | eval goo=strptime(foo,"%Y-%m-%dT%H:%M:%SZ") | table goo

sbsbb · ‎01-22-2013

Ok, thanks, but
eval n=strptime(field, " %Y-%m-%dT%H:%M:%SZ")
still returns no value

extract date with characters between

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!