Splunk Search

How to do the time conversion for 2017-04-14T13:52:21.000Z to a readable format?

Path Finder

How to do the time conversion for 2017-04-14T13:52:21.000Z to an understandable format? Any one please tell me the Query. Thanks!

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Try something like this:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"Current format of date/time field"),"Format you want the date/time in") 
| table yourtimefield newformat

Example with current format and new format:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p") 
| table yourtimefield newformat

To help determine your time format, see Date and Time Format Variables documentation: http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Commontimeformatvariables

View solution in original post

0 Karma

Esteemed Legend

Like this:

... | foreach start_date end_table [ eval <<FIELD>> = strptime(<<FIELD>>, "%Y/%m/%dT%H:%M:%S.%3q %Z") | fieldformat <<FIELD>> = strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S") ] | table start_date end_table
0 Karma

Path Finder

Not working..This are my field names alertstartedat alertendedat.

And I am trying to show the alertstartedat alertendedat readable format in the table.

Can you please help me with this one?

Thanks

0 Karma

Esteemed Legend

You need to be sure that you are specifying your details correctly; did you try changing the field names in the foreach and table commands to match what they really are? Also, if you have a solution, make sure to click Accept on an answer to close your question.

0 Karma

Splunk Employee
Splunk Employee

Try this:

[YOUR BASE SEARCH]
| eval alert_started_at=strftime(strptime(alert_started_at,"%Y-%m-%dT%H:%M:%S.%3q%Z"),"%m/%d/%Y %p") 
| eval alert_ended_at=strftime(strptime(alert_ended_at,"%Y-%m-%dT%H:%M:%S.%3q%Z"),"%m/%d/%Y %p") 
| table alert_started_at alert_ended_at

This will overwrite the original value of alertstartedat and alertendedat, so if you want to maintain that original values, you should change the fieldname before the equals to your new field name. Also, the second date format is just an example, use the documentation link from my earlier answer to format the date the way you want it.

The first format should work for your posted date format in your question.

0 Karma

Path Finder

Old format : 2017-05-12T13:34:31.000Z

New format(after applying) : 04/12/2017 PM

0 Karma

Splunk Employee
Splunk Employee

What format would you like it to be in?

0 Karma

Path Finder

Like 04/12/2017 T %H:%M:%S PM %Z

0 Karma

Splunk Employee
Splunk Employee

Change the second format in each eval statement to:

%m/%d/%Y T %H:%M:%S %Z

0 Karma

Path Finder

Worked Thanks!

0 Karma

Splunk Employee
Splunk Employee

Great! Glad I could help.

0 Karma

Splunk Employee
Splunk Employee

Try something like this:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"Current format of date/time field"),"Format you want the date/time in") 
| table yourtimefield newformat

Example with current format and new format:

[YOUR BASE SEARCH]
| eval newformat=strftime(strptime(yourtimefield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p") 
| table yourtimefield newformat

To help determine your time format, see Date and Time Format Variables documentation: http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Commontimeformatvariables

View solution in original post

0 Karma

Path Finder

What I am trying to do is put the startdate and endtable(Readable format) in the table chat.

0 Karma

Splunk Employee
Splunk Employee

So, to make sure I understand, you have 2 date/time fields: startdate and enddate, and you want to format them and put them in a table?

0 Karma

Path Finder

Yes Exactly

0 Karma

Path Finder

I am trying to show the Alert start and end date and time.

0 Karma

Splunk Employee
Splunk Employee

In that case you would use the same method:

[YOUR BASE SEARCH]
| eval starttime=strftime(strptime(startfield,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| eval end
time=strftime(strptime(endfield,,"%H:%M:%S.%3q %Z %b %d %Y"),"%m/%d/%Y %p")
| table starttime endtime

Again, replace the formats I am using with your current and desired format. Does this help?

0 Karma

Path Finder

It is not working..Showing empty table with the field name(Start_time)

0 Karma

Splunk Employee
Splunk Employee

Are you replacing startfield and endfield with your fields, and have you changed the format in the strptime to the current format?

0 Karma

Path Finder

Hi I need some help regarding Sparkline, Trend Indicator

Can you please correct below query..change to Sparkline, Trend Indicator

index=main sourcetype=description | stats count as alertrisklevel |eval alertrisklevel=($alertrisklevel$/1000)|eval alertrisklevel=round(alertrisklevel,2)

Right now I am trying to do this TRENDING OVER TIME for risk identifier means high medium low risk.

Thanks in Advance!

0 Karma

Splunk Employee
Splunk Employee

Is there a particular format you wanted it in?

0 Karma