Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

reformat date, timestamp

efelder0
Communicator
‎01-04-2012 07:38 AM

I am trying to reformat a date/time stamp field from within my output.

Here is the current format: 21:32:31-Dec 08 2011

New format: 12/08/2011 21:32:31 AM/PM

thanks.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎01-04-2012 08:11 AM

Convert it to an intermediate time_t and back again, using eval's strptime and strftime functions. Something like:

blah blah blah | eval myfield=strftime(strptime(myfield,"%H:%M:S-%b %d %Y"),"%M/%D/%Y %I:%M:%S %P"))
0 Karma
Reply

lguinn2
Legend
‎01-04-2012 08:10 AM

Does Splunk recognize this as a timestamp? For my answer below, I will assume that Splunk extracted the date into the _time field. An easy way to do this is to create a new field with eval:

<yoursearchhere> | eval formattedTime = strftime(_time, "%D %r") | table formattedTime <otherfieldshere>

Once you have created the new field, you can use it however you like; I just supplied the table command as an example. Google "strftime" for more formatting options.
If the datetime is contained in a different field, substitute that field name for _time. If Splunk didn't extract the field for you, post a bit more of the event (showing the timestamp in context) and someone will be able to help you extract it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...