Solved: Re: TIme Conversion

krvamsireddy · ‎09-11-2020

Hi ,

how to change the below raw time field to yyyy-mm-dd hh:mm:ss

2020-09-09T18:21:12.2685607Z

am using the below query and didnt get any result

eval time = strftime(activityDateTime,"%Y-%m-%d %H:%M:%S")

Can someone please help

thambisetty · ‎09-11-2020

@krvamsireddy

check updated answer.

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎09-11-2020

strftime is used to convert unix timestamp to human readable format.

you should use strptime to convert time which is already in human readable format if you need to format it.

| makeresults | eval activityDateTime="2020-09-09T18:21:12.2685607Z"
| eval time = strftime(strptime(activityDateTime,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")

————————————
If this helps, give a like below.

krvamsireddy · ‎09-11-2020

still in the old format, and time column is still blank

ITWhisperer · ‎09-11-2020

What do you mean by raw time field? What fields do you have? Do you get anything in the time field you created?

krvamsireddy · ‎09-11-2020

No i didnt get anything.

raw time field - time format which i get in the event

activityDateTIme

thambisetty · ‎09-11-2020

@krvamsireddy

check updated answer.

————————————
If this helps, give a like below.

ITWhisperer · ‎09-11-2020

Looks like you need to parse the activityDateTime with strptime and then format that with strftime

eval time = strptime(strptime(activityDateTime, "%Y-%m-%dT%H:%M:%S.%Q"),"%Y-%m-%d %H:%M:%S")

Or you could just parse the activityDateTime string into an epoch time and the use fieldformat on the time field for display purposes

TIme Conversion

eval

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!