strftime day and month: Splunk vs Python

pm771 · ‎08-20-2020

My question is about day and month components of a date without leading zeroes.

Python docs provide %-d and %-m respectively.

Splunk docs do not show these options. Splunk, however, has %e which seems to be the same as %-d. I did not find any option for decimal month number.

I have tried and Splunk seems to accept %-d and %-m

Is it standard feature that I can rely on? Is it implementation dependent?

Did I miss something in Splunk docs?

yeahnah · ‎08-20-2020

Hi @pm771

I think the Splunk docs are not very detailed about this and could be improved, for sure. I believe it's just python libraries in the Splunk backend so, yes, any valid python strftime() modifiers will work (dependent on the installed Splunk python version).

Here's a run anywhere example I tried.

| makeresults
| eval epoch=relative_time(_time, "@month")
      ,date1=strftime(relative_time(epoch, "@month"), "%Y-%m-%d")
      ,date2=strftime(relative_time(epoch, "@month"), "%Y-%m-%e")
      ,date3=strftime(relative_time(epoch, "@month"), "%Y-%-m-%-d")
      ,date4=strftime(relative_time(epoch, "@month"), "%Y-%#m-%#d")

Note the %e has a leading whitespace so stick to either %-d or %#d.

Hope this helps.

strftime day and month: Splunk vs Python

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

strftime day and month: Splunk vs Python

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard