Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to uniform format for timestamp?

manimuthu
Loves-to-Learn Everything
‎04-01-2022 11:57 AM

Hi All,

after querying and grouping my data, my timestamp is of different format like

2021-01-20 07:22:34.545674

2020-02-18T11:03:44.543+0000

2021-01-25T11:05:33.003Z

2022-04-01 19:51:01.411826Z

2021-05-22 02:49:26.607839

How to have a uniform format for all the timestamp values in the stats table 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-02-2022 03:45 AM

Where do these timestamps come from? It's a relatively rare situation that you need to use the timestamp from a different part of event than _time field if the event is properly parsed.

I'm not saying it doesn't happen but it's relatively rare.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-01-2022 11:21 PM

It seems like your timestamps are coming as string values in some field (for example my_timestamp) You need to handle each date format and then combine everything with coalesce.

| eval time1=strptime(my_timestamp, "%F %T.%6N")
| eval time2=strptime(my_timestamp, "%FT%T.%3NZ")
....
| eval my_timestamp=coalesce(time1, time2, time3, ....)
| eval my_timestamp=strftime(my_timestamp, "%F %T")

 

See date-time format parameters - https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Commontimeformatvariables 

0 Karma
Reply

manimuthu
Loves-to-Learn Everything
‎04-02-2022 12:56 PM

Thanks a lot for all the replies. Actually instead of using timestamps that are coming as string values in some field, i used _time so, that helped me to avoid these different timestamp's formats issue. 

Actually 

| eval my_timestamp=strftime(my_timestamp, "%F %T")

this line helped me a lot . Really thanks for all who took their precious time and efforts to help me  

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-03-2022 08:28 AM

If the answer helped you kindly consider accepting the answer!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...