Getting Data In

How to configure for ISO 8601 date and time display?

pmocek
Explorer

How can I cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601, the international standard for representation of dates and times?

I do not want to specify use of this format for a specific dashboard, view, or report. I do not want to affect the parsing of timestamps when Splunk indexes data. When Splunk formats a numeric representation of date and/or time for presentation to a user (not when it displays raw data), I want it to use the standard format.

I do not believe that I can cause my browser to communicate this style guideline to Splunk, and no option for overriding the browser locale appears to offer this format.

I am using Splunk 5.0.3. My searches of the Web, Splunk's documentation, the Splunk wiki, and this knowledge base, have not turned up a direct solution, though "translating Splunk" (a heavy-handed operation I would prefer to avoid) may be an option.

1 Solution

pmocek
Explorer

Answering my own question: You cannot do that.

View solution in original post

0 Karma

pmocek
Explorer

Answering my own question: You cannot do that.

0 Karma

scentoni_splunk
Splunk Employee
Splunk Employee

This is not the answer you want, but may help others that are looking to format a field in ISO 8601 format. Try
sourcetype="access_combined" |eval iso8601time=strftime(_time,"%Y-%m-%dT%H:%M:%S%z") |table _time, iso8601time

_time                 iso8601time
2015-06-24 14:01:59 2015-06-24T14:01:59-0700
2015-06-24 14:01:40 2015-06-24T14:01:40-0700
2015-06-24 14:01:31 2015-06-24T14:01:31-0700

MohamedElagamy
Engager

well that's unacceptable, how are we supposed to parse ISO 8601 then ?

0 Karma

darlas
Communicator

I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help.

0 Karma

pmocek
Explorer

This does not appear to cause Splunk to perform all formatting for display of timestamps in compliance with ISO 8601.

0 Karma

Dennis
Explorer

Hello darlas,

Was just refreshing my knowledge of the ISO 8601 timestamp format, and read your post from 5 years and 9 months ago.  Don't see that anyone ever responded to your question.

"I also am trying to parse or reformat an ISO 8601 date into something more human friendly. Hope someone can help."

ISO 8610 format:

| eval newtime=strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z")

Here is something more human readable friendly without getting to far away from the ISO standard.  Like to change the year with century, %Y, to without century, %y, leave out the T separator and the time zone offset, %z, and add the milliseconds, %3N.  Also, like to add the @ between the date and time strings, but that can be added of removed depending on preference, and horizontal real estate available in the report or dashboard panel. Hope this helps - if you still need help.  😎

| eval newtime=strftime(_time, "%m/%d/%y @ %H:%M:%S.%3N")

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...