Solved: Change Date Format Display

togmolodon · ‎04-03-2014

Hi,

I just want to change the displayed date format from 2014-04-03T23:00:00.000Z to 2014-04-03 19:00 i.e., convert from Zulu to GMT-4 using the date field.

I can't seem to figure this one out.

Many thanks!

togmolodon · ‎04-04-2014

@martin_mueller
Changing the timezone via settings is not an option for me, thanks though for your insight.

@linu1988
I am getting an error when I tried yours, thanks anyways.

FYI, I was able to make it work using the following:

eval epochtime = strptime(date,"%FT%H:%M:%S.%3Q")-14400 | eval "Revised" = strftime(epochtime, "%F %H:%M %p") | table Revised

View solution in original post

togmolodon · ‎04-04-2014

@martin_mueller
Changing the timezone via settings is not an option for me, thanks though for your insight.

@linu1988
I am getting an error when I tried yours, thanks anyways.

FYI, I was able to make it work using the following:

eval epochtime = strptime(date,"%FT%H:%M:%S.%3Q")-14400 | eval "Revised" = strftime(epochtime, "%F %H:%M %p") | table Revised

linu1988 · ‎04-04-2014

i thought you had your default timeforamt in _time field!! Btw good that you have done it.

martin_mueller · ‎04-04-2014

You can set the timezone for your user to GMT-4: SplunkBar -> Username -> Edit Account -> Timezone
That will make Splunk render all timestamps, including custom strftime() outputs, as GMT-4. It won't affect _raw text of course.

linu1988 · ‎04-03-2014

|eval _time=_time-(4*3600)|convert  timeformat="%y-%m-%d %H:%M" ctime(_time)

Change Date Format Display

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Change Date Format Display

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle