How to change the date format from 'yyyy-mm-dd' to...

Neel88 · ‎02-01-2023

I am working on the saved search not index/lookup.

I tried this code -

| eval date=strftime(strptime(<fieldname>,"%Y-%m-%d %H:%M:%S"), "%m-%d-%Y %H:%M:%S")

but getting the blank data. Pls help

bowesmana · ‎02-01-2023

There is nothing wrong with the eval statement, so it means that your field (which I assume is not the "<fieldname>" but the name of a field) is not in that format.

| makeresults
| eval x="2023-02-02 04:02:01"
| eval date=strftime(strptime(x,"%Y-%m-%d %H:%M:%S"), "%m-%d-%Y %H:%M:%S")

Neel88 · ‎02-01-2023

| loadjob savedsearch="nobody:splunk_fcr_evo:last_31_days_monitoring_data"
| eval New_date=strftime(strptime(Date,"%Y-%m-%d %H:%M:%S"), "%m-%d-%Y %H:%M:%S")
| fields Date, adt, FLOW, NB1, New_date

Above gives blank results in the New_date column

bowesmana · ‎02-01-2023

Please show the value of the Date field after the loadjob

Neel88 · ‎02-02-2023

Date

2022-06-04

2022-06-05

isoutamo · ‎02-02-2023

Hi

your Date is not in the same format as you are using on strptime. You haven’t have hours, minutes and seconds on it. For that reason this didn’t work. Just drop those away from format or use field which contains also those.

r. Ismo

How to change the date format from 'yyyy-mm-dd' to 'mm-dd-yyyy' on the saved search?

count

eval

field extraction

fields

lookup

stats

tstats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How to change the date format from 'yyyy-mm-dd' to 'mm-dd-yyyy' on the saved search?