Hello,
I have a field called in_time with example output = 8/31/2018 10:21:59 PM (GMT)
I'd like this time (e.g. out_time) to be extracted and converted to read 31/08/2018 22:21:59
Can you help?
Many Thanks,
Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions
You can use strptime
to parse a string into a UNIX timestamp and then use strftime
to print it to a string again in your preferred format.
Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.
I have the same question but I want this to be applicable to all the dasboard/reports/alerts/visualizations. Is there global settings at an 'application' level that will default it to UTC 24 hour rather than making changes for each individual panel?
@joshi_rajesh This question is almost 2 years old with an accepted answer so there's not likely to be many people looking at it. You should post a new question explaining the problem you wish to resolve.
Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions
You can use strptime
to parse a string into a UNIX timestamp and then use strftime
to print it to a string again in your preferred format.
Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.
eval unix_time=strptime(in_time, "%m/%d/%Y %H:%M:%S" | fields unix_time
This is the command I have attempted but it throws up an error
Excellent I got it to work 🙂 - I added an hour to make it BST
eval unix_time=strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600 | eval time_out=strftime(unix_time, "%d/%m/%Y %H:%M") | fields out_time
Thank you for your help!
If you don't need the unix_time for anything, you can also do it in one eval:
eval time_out=strftime(strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600, "%d/%m/%Y %H:%M") | fields out_time
What error?
Also: you probably want to use %I
instead of %H
and add a %p for the AM/PM part.
I also have times in format 31 August 2018 22:21 - can this be converted to 31/08/2018 22:21?
Many thanks,