Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

TIme Conversion

krvamsireddy
Explorer
‎09-11-2020 12:26 AM

Hi ,

how to change the below raw time field to yyyy-mm-dd hh:mm:ss

2020-09-09T18:21:12.2685607Z

am using the below query and didnt get any result 

eval time = strftime(activityDateTime,"%Y-%m-%d %H:%M:%S")

Can someone please help

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-11-2020 01:39 AM

@krvamsireddy 

check updated answer.

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-11-2020 01:19 AM

strftime is used to convert unix timestamp to human readable format.

you should use strptime to convert time which is already in human readable format if you need to format it.

| makeresults | eval activityDateTime="2020-09-09T18:21:12.2685607Z"
| eval time = strftime(strptime(activityDateTime,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

krvamsireddy
Explorer
‎09-11-2020 01:27 AM

 

krvamsireddy_2-1599812787173.png

 

still in the old format, and time column is still blank 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 01:06 AM

What do you mean by raw time field? What fields do you have? Do you get anything in the time field you created?

0 Karma
Reply
Solved! Jump to solution

krvamsireddy
Explorer
‎09-11-2020 01:29 AM

No i didnt get anything.

raw time field - time format which i get in the event 

activityDateTIme

krvamsireddy_0-1599812918849.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-11-2020 01:39 AM

@krvamsireddy 

check updated answer.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 01:32 AM

Looks like you need to parse the activityDateTime with strptime and then format that with strftime

 

eval time = strptime(strptime(activityDateTime, "%Y-%m-%dT%H:%M:%S.%Q"),"%Y-%m-%d %H:%M:%S")

Or you could just parse the activityDateTime string into an epoch time and the use fieldformat on the time field for display purposes

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...