Solved: Re: TIme Conversion

krvamsireddy · ‎09-11-2020

Hi ,

how to change the below raw time field to yyyy-mm-dd hh:mm:ss

2020-09-09T18:21:12.2685607Z

am using the below query and didnt get any result

eval time = strftime(activityDateTime,"%Y-%m-%d %H:%M:%S")

Can someone please help

thambisetty · ‎09-11-2020

@krvamsireddy

check updated answer.

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎09-11-2020

strftime is used to convert unix timestamp to human readable format.

you should use strptime to convert time which is already in human readable format if you need to format it.

| makeresults | eval activityDateTime="2020-09-09T18:21:12.2685607Z"
| eval time = strftime(strptime(activityDateTime,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")

————————————
If this helps, give a like below.

krvamsireddy · ‎09-11-2020

still in the old format, and time column is still blank

ITWhisperer · ‎09-11-2020

What do you mean by raw time field? What fields do you have? Do you get anything in the time field you created?

krvamsireddy · ‎09-11-2020

No i didnt get anything.

raw time field - time format which i get in the event

activityDateTIme

thambisetty · ‎09-11-2020

@krvamsireddy

check updated answer.

————————————
If this helps, give a like below.

ITWhisperer · ‎09-11-2020

Looks like you need to parse the activityDateTime with strptime and then format that with strftime

eval time = strptime(strptime(activityDateTime, "%Y-%m-%dT%H:%M:%S.%Q"),"%Y-%m-%d %H:%M:%S")

Or you could just parse the activityDateTime string into an epoch time and the use fieldformat on the time field for display purposes

TIme Conversion

eval

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life