Splunk Search
Highlighted

How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

How to do the time conversion for 2017-04-14T13:52:21.000Z to an understandable format? Any one please tell me the Query. Thanks!

Tags (3)
0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Splunk Employee
Splunk Employee

Is there a particular format you wanted it in?

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

Nothing particular I just want it in readable format. What I am trying to do is put the startdate and endtable in the table chat.

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Splunk Employee
Splunk Employee

Try something like this:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"Current format of date/time field"),"Format you want the date/time in") 
| table yourtimefield newformat

Example with current format and new format:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p") 
| table yourtimefield newformat

To help determine your time format, see Date and Time Format Variables documentation: http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Commontimeformatvariables

View solution in original post

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

What I am trying to do is put the startdate and endtable(Readable format) in the table chat.

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Splunk Employee
Splunk Employee

So, to make sure I understand, you have 2 date/time fields: startdate and enddate, and you want to format them and put them in a table?

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

Yes Exactly

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

I am trying to show the Alert start and end date and time.

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Splunk Employee
Splunk Employee

In that case you would use the same method:

[YOUR BASE SEARCH]
| eval starttime=strftime(strptime(startfield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| eval end
time=strftime(strptime(endfield,,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| table starttime endtime

Again, replace the formats I am using with your current and desired format. Does this help?

0 Karma
Highlighted

Re: How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

It is not working..Showing empty table with the field name(Start_time)

0 Karma