Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

VALUE FORMAT

jip31
Motivator
‎07-18-2018 11:25 PM

Hi

i have a value like this in a field 2018067155420 and i want to format it with this format : yyyymmddhhmmss so
could you help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-19-2018 04:43 AM

Try this:

| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:26 AM

Hi

i have wrote this but it doesnt works

index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")

there is a mistake somewhere??

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-20-2018 12:47 AM

Yes, like I said, you need to adjust it to your field names. So replace date_time with the field that contains your input. So looking at your example that would be LastLogon.

 index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-20-2018 12:57 AM

you are the best! thanks

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎07-18-2018 11:37 PM

Hey@jip31,

You can add these attributes in your props.conf:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf

TIME_FORMAT =
TIME_PREFIX =

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 02:25 AM

hi
not really
i just want to format this value

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-19-2018 03:14 AM

What do you mean by format this value? Can you give an example of the output you expect of that formatting?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-19-2018 04:30 AM

hi
This value 20180627155420 correspond to the date 2018 06 27 and the hour 15 54 20
i would like to have finally an EVAL which does 27/06/2018 15:54
thanks

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...