Splunk Search

How to convert the time format to UK and 24 hour time?

aherrington
Path Finder

Hello,

I have a field called in_time with example output = 8/31/2018 10:21:59 PM (GMT)

I'd like this time (e.g. out_time) to be extracted and converted to read 31/08/2018 22:21:59

Can you help?

Many Thanks,

0 Karma
1 Solution

FrankVl
Ultra Champion

Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions

You can use strptime to parse a string into a UNIX timestamp and then use strftime to print it to a string again in your preferred format.

Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.

View solution in original post

0 Karma

joshi_rajesh
New Member

I have the same question but I want this to be applicable to all the dasboard/reports/alerts/visualizations. Is there global settings at an 'application' level that will default it to UTC 24 hour rather than making changes for each individual panel?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@joshi_rajesh This question is almost 2 years old with an accepted answer so there's not likely to be many people looking at it. You should post a new question explaining the problem you wish to resolve.

---
If this reply helps you, Karma would be appreciated.
0 Karma

FrankVl
Ultra Champion

Take a look at the time and date functions for the eval command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/DateandTimeFunctions

You can use strptime to parse a string into a UNIX timestamp and then use strftime to print it to a string again in your preferred format.

Adjusting for timezone offsets can be done by adding the required number of seconds to the UNIX timestamp in between these 2 conversion steps.

0 Karma

aherrington
Path Finder

eval unix_time=strptime(in_time, "%m/%d/%Y %H:%M:%S" | fields unix_time

This is the command I have attempted but it throws up an error

0 Karma

aherrington
Path Finder

Excellent I got it to work 🙂 - I added an hour to make it BST

eval unix_time=strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600 | eval time_out=strftime(unix_time, "%d/%m/%Y %H:%M") | fields out_time

Thank you for your help!

0 Karma

FrankVl
Ultra Champion

If you don't need the unix_time for anything, you can also do it in one eval:

eval time_out=strftime(strptime(in_time, "%m/%d/%Y %I:%M:%S %p") + 3600, "%d/%m/%Y %H:%M") | fields out_time
0 Karma

FrankVl
Ultra Champion

What error?

Also: you probably want to use %I instead of %H and add a %p for the AM/PM part.

0 Karma

aherrington
Path Finder

I also have times in format 31 August 2018 22:21 - can this be converted to 31/08/2018 22:21?

Many thanks,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...