Re: How to uniform format for timestamp?

manimuthu · ‎04-01-2022

Hi All,

after querying and grouping my data, my timestamp is of different format like

2021-01-20 07:22:34.545674

2020-02-18T11:03:44.543+0000

2021-01-25T11:05:33.003Z

2022-04-01 19:51:01.411826Z

2021-05-22 02:49:26.607839

How to have a uniform format for all the timestamp values in the stats table

PickleRick · ‎04-02-2022

Where do these timestamps come from? It's a relatively rare situation that you need to use the timestamp from a different part of event than _time field if the event is properly parsed.

I'm not saying it doesn't happen but it's relatively rare.

VatsalJagani · ‎04-01-2022

It seems like your timestamps are coming as string values in some field (for example my_timestamp) You need to handle each date format and then combine everything with coalesce.

| eval time1=strptime(my_timestamp, "%F %T.%6N")
| eval time2=strptime(my_timestamp, "%FT%T.%3NZ")
....
| eval my_timestamp=coalesce(time1, time2, time3, ....)
| eval my_timestamp=strftime(my_timestamp, "%F %T")

See date-time format parameters - https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Commontimeformatvariables

manimuthu · ‎04-02-2022

Thanks a lot for all the replies. Actually instead of using timestamps that are coming as string values in some field, i used _time so, that helped me to avoid these different timestamp's formats issue.

Actually

| eval my_timestamp=strftime(my_timestamp, "%F %T")

this line helped me a lot . Really thanks for all who took their precious time and efforts to help me

VatsalJagani · ‎04-03-2022

If the answer helped you kindly consider accepting the answer!!!

How to uniform format for timestamp?

development

troubleshooting

using Splunk Enterprise

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?