Solved: How to change Date format to abbreviated month?

ajdyer2000 · ‎04-24-2022

Hi was wondering if possible, how to convert a date field into an abbreviate Month (Jan , Feb, Mar, Apr)

So the 2 fields on the left are existing fields and the ones on the right would be the new ones

Created	Closed	Month_Open	Month_Closed
8/27/2020 3:37	9/2/2020 12:00	Aug	Sep
10/15/2020 3:31	10/21/2020 12:00	Oct	Oct
11/5/2020 3:59	11/10/2020 5:17	Nov	Nov
12/3/2020 3:33	4/13/2022 10:48	Dec	Apr

ajdyer2000 · ‎04-24-2022

Thank you so much Pickle Rick. That works 😊

View solution in original post

ajdyer2000 · ‎04-24-2022

Thank you so much Pickle Rick. That works 😊

PickleRick · ‎04-24-2022

Sure. Use eval or fieldformat with strftime()

<your_search>
| eval Month_Open=stftime(Created,"%b")
| eval Month_Closed=strftime(Closed,"%b")

You have to have your Created and Closed fields as timestamps though so if you have them as strings you'd have to strptime() them to a timestamp first. (I'm wondering if parsing out the month from the original date string and using lookup to get the month name wouldn't be more efficient but that's a completely another story).

How to change Date format to abbreviated month?

eval

field extraction

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?