Solved: Why does my date format change when downloading CS...

splunkcol · ‎10-18-2022

Hello,

When I run a query I get the results as I need them in a table from Splunk but when I download the .csv file, the timestamp field changes to an incorrect date and year.

Does anyone know how I can fix it?

bowesmana · ‎10-18-2022

Is your timestamp in that format or have you formatted it like that - where is your year?

If you have an epoch date/time, then probably the most portable date format is ISO8601, i.e.

YYYY-MM-DD HH:MM:SS

which is done with

| eval timestamp=strftime(_time, "%F %T")

but it will depend on what time field you have to play with and whether you also have/want milliseconds

See strftime documentation

View solution in original post

bowesmana · ‎10-18-2022

Looks like you're loading it into Excel, so Excel is trying to figure out what

Oct 15 00:03:53

is. It is interpreting it as MMM YY HH:MM:SS

You will need to open the CSV and tell Excel what format your time is rather than allowing it to determine it automatically

splunkcol · ‎10-18-2022

Hi, thanks for replying, is it possible with a |eval that you suggest me to modify the order of the date in which excel does not generate me that error?

I already tried to format it from excel but the problem still persists.

bowesmana · ‎10-18-2022

Is your timestamp in that format or have you formatted it like that - where is your year?

If you have an epoch date/time, then probably the most portable date format is ISO8601, i.e.

YYYY-MM-DD HH:MM:SS

which is done with

| eval timestamp=strftime(_time, "%F %T")

but it will depend on what time field you have to play with and whether you also have/want milliseconds

See strftime documentation

Why does my date format change when downloading CSV?

eval

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms