Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

tejasbharadwaj
New Member
‎05-31-2017 04:26 AM

Hello,

I have a field name called "opened_at" where the date in this field is in text format (YYYY-MM-DD HH:MM:SS). Now, using "opened_at" field, I need to create a new field called "month_name" which should display only month in (MMM) format.

Example:- If my date in the field "opened_at" is in text format (2017-05-31 10:20:10), then the new field should be populated as "month_name" and it should show the result as "May".

Please help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-31-2017 05:53 AM

If you already have a field named opened_at extracted then do it this way -

<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")

Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-31-2017 05:54 AM

A combination of strptime to convert the existing time into an epoch, then a strftime to convert it to the format you want.

... | eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")

Should do it.

A run anywhere example:

| makeresults 
| eval opened_at = "2017-05-31 10:20:10"
| eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-31-2017 05:55 AM

Also, "%b" could be used at the end to get the 3-character month abbreviation.

Links for reference:
Eval Date and Time functions
Common Time Format Variables

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-31-2017 05:53 AM

If you already have a field named opened_at extracted then do it this way -

<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")

Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...