Splunk Search

How to convert the time format to UK and 24 hour time?

aherrington
Path Finder

Hello,

I have a field called in_time with example output = 8/31/2018 10:21:59 PM (GMT)

I'd like this time (e.g. out_time) to be extracted and converted to read 31/08/2018 22:21:59

Can you help?

Many Thanks,

0 Karma
1 Solution

FrankVl
Ultra Champion

Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions

You can use strptime to parse a string into a UNIX timestamp and then use strftime to print it to a string again in your preferred format.

Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.

View solution in original post

0 Karma

joshi_rajesh
New Member

I have the same question but I want this to be applicable to all the dasboard/reports/alerts/visualizations. Is there global settings at an 'application' level that will default it to UTC 24 hour rather than making changes for each individual panel?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@joshi_rajesh This question is almost 2 years old with an accepted answer so there's not likely to be many people looking at it. You should post a new question explaining the problem you wish to resolve.

---
If this reply helps you, Karma would be appreciated.
0 Karma

FrankVl
Ultra Champion

Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions

You can use strptime to parse a string into a UNIX timestamp and then use strftime to print it to a string again in your preferred format.

Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.

0 Karma

aherrington
Path Finder

eval unix_time=strptime(in_time, "%m/%d/%Y %H:%M:%S" | fields unix_time

This is the command I have attempted but it throws up an error

0 Karma

aherrington
Path Finder

Excellent I got it to work 🙂 - I added an hour to make it BST

eval unix_time=strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600 | eval time_out=strftime(unix_time, "%d/%m/%Y %H:%M") | fields out_time

Thank you for your help!

0 Karma

FrankVl
Ultra Champion

If you don't need the unix_time for anything, you can also do it in one eval:

eval time_out=strftime(strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600, "%d/%m/%Y %H:%M") | fields out_time
0 Karma

FrankVl
Ultra Champion

What error?

Also: you probably want to use %I instead of %H and add a %p for the AM/PM part.

0 Karma

aherrington
Path Finder

I also have times in format 31 August 2018 22:21 - can this be converted to 31/08/2018 22:21?

Many thanks,

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...