Solved: extract a string into readable datetime format

harshal_chakran · ‎01-20-2014

Hi,
I have string in a format as "YYYYMMDD.HHMM" i.e. 20140120.1815

I want to display this in any readable date time format which splunk understands as I have to do further analysis on the basis of time to show it on chart.

Kindly help

somesoni2 · ‎01-21-2014

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

View solution in original post

jpass · ‎01-21-2014

My answer is pretty much the same but you can combine strptime with strftime like this:

| eval newdate="20140120.1815" | eval time=strftime(strptime(newdate,"%Y%m%d.%H%M"),"%Y-%m-%d %T") | table time

output is: 2014-01-20 18:15:00

strptime() - converts your string into a timestamp (epoch or 'seconds since Thursday, 1 January 1970')

strftime() - converts epoch timestamp into the viewable format of your deepest desire

see time variables: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

see functions for eval / where: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

somesoni2 · ‎01-21-2014

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

arya_alex · ‎02-07-2014

Perfect! I had to convert the Date variable of this format Wed Feb 05 UTC 2014 to 2014-02-05.I used the above command like this-
eval time=strptime(Date,"%a %b %d UTC %Y") | eval Time=strftime(time,"%Y-%m-%d")|

marina_rovira · ‎05-18-2017

Hi there!

I cannot make it work, I have this:

 | head 1  | eval my_time="Sun Apr 30 23:46:53 GMT+00:00 2017" | table my_time | eval final=strptime(my_time, "%a %b %d %H:%M:%S %Z%z %Y") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S") | table my_time,final,Time

I have to fields, StartTime and EndTime and I want to measure the difference between them. But I'm not getting even a timestamp conversion for one field.

Help please!
Thanks

PD: I think I don't have the epoch time neither. So my first problem is there 😞

harshal_chakran · ‎01-22-2014

Thanks somesoni2..
This worked like a charm

richgalloway · ‎01-20-2014

eval time=strptime(<time string>,"%Y%m%d.%H%M")

---
If this reply helps you, Karma would be appreciated.

lukejadamec · ‎01-21-2014

Not sure why the string is not extracted in human readable, but if you use ctime on the created epoch time it should work.
eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|convert timeformat="%Y%m%d.%H%M" ctime(time) as Time | table Time

harshal_chakran · ‎01-21-2014

Hi,
I have tried it, but couldn't able to get proper result.
My query is as below:

eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|table time

it shows output as: 1390221900.000000

extract a string into readable datetime format

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies