Koshyk's answer helps. I did some searching and couldn't make heads or tails of what I'd seen, but with that - maybe all that's needed is some combination of strptime/strftime. Unfortunately, without a starting example I'll just have to guess.
Assume you have a timestamp "2017-05-14:23:01:01", this run-anywhere example will convert it into an interim format (epoch) and then back into a formatted timestamp with hours from 0-11 and an AM/PM indicator. (I also remove an extra colon, because I can...)
| makeresults
| eval mydate="2017-05-14:23:01:01"
| eval myconverter = strptime(mydate, "%Y-%m-%d:%H:%M:%S")
| eval myconversion = strftime(myconverter, "%Y-%m-%d %l:%M:%S %p")
I recommend running this one step at a time and examining the output - when you only run the first three lines, you'll see the myconverter value is formatted as a date time - but this is only a display thing that Splunk is doing to make it pretty. When you add the fourth line, since myconverter is now being used elsewhere it will show the epoch value for it (at least that's the only explanation I have for why).
You could also change it in one step:
| makeresults
| eval mydate="2017-05-14:23:01:01"
| fieldformat mynewdate = strftime(strptime(mydate, "%Y-%m-%d:%H:%M:%S"), "%Y-%m-%d %l:%M:%S %p")
AND this only does a fieldformat on it which is a slightly different thing - what this means is it'll keep the value as an epoch value which allows math on it far easier, but display it the way you want.
Play with those, hopefully one will help you! You may want to play with more date and time format variables, too.
Lastly, if you have problems be sure to post back with a few examples of your events/timestamps and I or someone else can provide the exact time/date variable string to you!
Happy Splunking,
Rich
... View more