Reporting

Convert non-standard date field to $m/$d/$y at search time

asofo
Path Finder

Hi, I'm pulling Tenable IO logs into Splunk and there is a field names first_found in regard to a vulnerability. The format is UNIX. I'd like to take that field data and create a new field and format it as $m/$d/$y at search time. I've scoured this site and reddit and can't get it to work.

Here is an example:

first_found = 2020-05-27T04:17:39.159Z

would like to create:

new_date = 5/27/2020

I've tried the below, but with no luck:

(search query) | convert timeformat="%m/%d/%y" ctime(first_found) AS new_date

Any help would be appreciated.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To convert a time string into a different format use strptime() to convert it into epoch form and strftime() to convert to the new string format.

| eval new_date = strftime(strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z"),  %m/%d/%Y)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...