Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert string date(without seprater) to readable date format - 20180112 to 12/01/2018

goyals05
Explorer
‎01-23-2018 10:25 AM

Hi,

I am using data-models. In raw data I am getting date as YYYYMMDD, I want to convert it in DD/MM/YYYY.

Is there a simple way to convert this as there is no separator ?

Otherwise I have to separate them in 3 different fields and use it.

 ^(?<year>\d\d\d\d)(?<month>\d\d)(?<day>\d\d)

Example : 20180112 to 12/01/2018
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-24-2018 01:21 AM

Try this run anywhere search

| makeresults 
| eval date="20180112 20180130 20180131 20181212 20181231" 
| makemv date 
| mvexpand date 
| eval date=strftime(strptime(date,"%Y%m%d"),"%d/%m/%Y")

In your environment you should write,

<your_base_Search>
| eval date=strftime(strptime(date,"%Y%m%d"),"%d/%m/%Y")

The inner date is the field which have YYYYMMDD format.
let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-24-2018 01:21 AM

Try this run anywhere search

| makeresults 
| eval date="20180112 20180130 20180131 20181212 20181231" 
| makemv date 
| mvexpand date 
| eval date=strftime(strptime(date,"%Y%m%d"),"%d/%m/%Y")

In your environment you should write,

<your_base_Search>
| eval date=strftime(strptime(date,"%Y%m%d"),"%d/%m/%Y")

The inner date is the field which have YYYYMMDD format.
let me know if this helps!

Reply
Solved! Jump to solution

493669
Super Champion
‎01-23-2018 10:38 AM

Try this anywhere search:

| makeresults
| eval Time="20180112"
| eval time=strftime(strptime(Time,"%Y%m%d"),"%d/%m/%Y")

You can create eval field expression in data model using | eval time=strftime(strptime(Time,"%Y%m%d"),"%d/%m/%Y")

Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-24-2018 01:25 AM

this will not work if you have Time="20180125" as the format is DD/MM/YYYY and not MM/DD/YYYY.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-24-2018 01:40 AM

Thanks for correction! ☺

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...