Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

VALUE FORMAT

jip31
Motivator
‎07-18-2018 11:25 PM

Hi

i have a value like this in a field 2018067155420 and i want to format it with this format : yyyymmddhhmmss so
could you help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:26 AM

Hi

i have wrote this but it doesnt works

index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

there is a mistake somewhere??

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-20-2018 12:47 AM

Yes, like I said, you need to adjust it to your field names. So replace date_time with the field that contains your input. So looking at your example that would be LastLogon.

 index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:57 AM

you are the best! thanks

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎07-18-2018 11:37 PM

Hey@jip31,

You can add these attributes in your props.conf:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf

TIME_FORMAT =
TIME_PREFIX =

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 02:25 AM

hi
not really
i just want to format this value

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-19-2018 03:14 AM

What do you mean by format this value? Can you give an example of the output you expect of that formatting?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 04:30 AM

hi
This value 20180627155420 correspond to the date 2018 06 27 and the hour 15 54 20
i would like to have finally an EVAL which does 27/06/2018 15:54
thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...