Splunk Search

How to convert string date format to other date format?

prabu116
Engager

I have string like this 08Aug2017 10:12:55 CDT"

I want date format like = 08-Aug-2017 10:12:55 CDT

Tags (1)
0 Karma
1 Solution

niketn
Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

And a fourth answer using a different method (only the rex command is really the answer part):

| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"

One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.

woodcock
Esteemed Legend

The right way to do it is to convert to time_t (AKA "epoch") and KEEP it that way. Then use fieldformat to make it look pretty:

... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")

cmerriman
Super Champion

try this:

|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")

it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

niketn
Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

prabu116
Engager

This is work fine. Thanks a lot niletnilay

0 Karma

niketn
Legend

Glad it worked. You got plenty of options to choose from 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...