Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search to change the format of a date from "1942-01-24" to "24/01/1942"?

IRHM73
Motivator
‎10-02-2015 01:54 AM

Hi,

I wonder whether someone may be able to help me please.

I have a date in one of my searches which is in this format: 1942-01-24

Could someone tell me please if is it possible to change this to: 24/01/1942

Many thanks and kind Regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎10-02-2015 03:08 AM

Another way of converting would be:

| stats count | eval date="1942-01-24" | eval date=replace(date,"(\d+)-(\d+)-(\d+)","\3/\2/\1") | table date

Hth,
Kai.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-04-2015 10:19 AM

Like this:

 | stats count | eval date="1942-01-24" | rex mode=sed field=date "s/(\d+)-(\d+)-(\d+)/\3\/\2\/\1/" | table date
Reply
Solved! Jump to solution

IRHM73
Motivator
‎10-04-2015 11:02 PM

Hi @woodcock, thank you for taking the time to reply to my post. Your solution works great.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎10-02-2015 03:08 AM

Another way of converting would be:

| stats count | eval date="1942-01-24" | eval date=replace(date,"(\d+)-(\d+)-(\d+)","\3/\2/\1") | table date

Hth,
Kai.

Reply
Solved! Jump to solution

IRHM73
Motivator
‎10-04-2015 10:59 PM

Hi @kai, thank you for taking the time to reply to my post.

This works perfectly.

Many thanks and kindest regards

Chris

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎10-02-2015 02:37 AM

What with this?

・・・・|eval a="2015-10-02"|eval b=strftime(strptime(a,"%Y-%m-%d"),"%d/%m/%Y")|eval c=substr(a,9,2)+"/"+substr(a,6,2)+"/"+substr(a,1,4)|table a b c

However, use the C because that can not be calculated in 1942.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎10-02-2015 02:42 AM

Hi, thank you for this.

I changed the date you entered to my field name to get the raw data and I've included a, b and c in my table but unfortunately this doesn't return any data.

Is it also possible that the output could be displayed in one field rather than a, b and c.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎10-02-2015 02:49 AM

Normally I think it is correct to convert using the strptime.
However, the date of the previous 1970 this function does not seem to work.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎10-02-2015 04:08 AM

Many thanks, hopefully someone else may be able to look at this.

Kind regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top