Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

VALUE FORMAT

jip31
Motivator
‎07-18-2018 11:25 PM

Hi

i have a value like this in a field 2018067155420 and i want to format it with this format : yyyymmddhhmmss so
could you help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:26 AM

Hi

i have wrote this but it doesnt works

index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

there is a mistake somewhere??

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-20-2018 12:47 AM

Yes, like I said, you need to adjust it to your field names. So replace date_time with the field that contains your input. So looking at your example that would be LastLogon.

 index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:57 AM

you are the best! thanks

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎07-18-2018 11:37 PM

Hey@jip31,

You can add these attributes in your props.conf:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf

TIME_FORMAT =
TIME_PREFIX =

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 02:25 AM

hi
not really
i just want to format this value

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-19-2018 03:14 AM

What do you mean by format this value? Can you give an example of the output you expect of that formatting?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 04:30 AM

hi
This value 20180627155420 correspond to the date 2018 06 27 and the hour 15 54 20
i would like to have finally an EVAL which does 27/06/2018 15:54
thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...