Solved: Re: Strftime/Strptime not including leading zero

mistydennis · ‎04-04-2019

DateField before eval: 20190402000000

I'm trying to apply strftime/strptime so the DateField will show as 2019-04-02

My eval:

| eval DateField=strftime(strptime('DateField',"%Y%m%d"), "%F")

This eval produces 2019-04-20 instead of 2019-04-02. I thought %d included a leading zero, but it's not showing in my date. Where did I go wrong?

vnravikumar · ‎04-04-2019

Hi

Try

| eval DateField=strftime(strptime('DateField',"%Y%m%d%H%M%S"), "%Y-%m-%d")

View solution in original post

somesoni2 · ‎04-04-2019

I believe additional zeros in your timestamp are causing issue. Ideally, your strptime time format should include all characters appearing in your DateField, that way every character is properly processes. Give this a try (runanywhere sample, look for time format in DateField2)

| gentimes start=-1 | eval DateField="20190402000000" | table DateField  | eval DateField1=strftime(strptime('DateField',"%Y%m%d"), "%F")| eval DateField2=strftime(strptime('DateField',"%Y%m%d000000"), "%F")

mistydennis · ‎04-04-2019

This also worked. Thanks so much, @somesoni2

vnravikumar · ‎04-04-2019

Hi

Try

| eval DateField=strftime(strptime('DateField',"%Y%m%d%H%M%S"), "%Y-%m-%d")

mistydennis · ‎04-04-2019

That did it, thank you!

Strftime/Strptime not including leading zero

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation