Refine your search:

convert time format

0

Hi ,

In splunk query i need to convert time format as below .

Current format - Apr 13 17:58:35

Required Format : 04/13/2012 5:58:35 PM

asked 16 Apr '12, 03:23

Ravan's gravatar image

Ravan
68114
accept rate: 100%

Is it the timestamp, that is recognized by Splunk or do you have an extracted field with this value?

(16 Apr '12, 03:47) ziegfried ♦
2 Answers:
oldestnewestmost voted
2

I believe that you'll have to make a two stage operation, first convert your input format to epoch, and the convert it to your desired format.

... | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p")

However, since the data coming in has no year specification, I'm not sure that you would get usable results. It may be that you'll have to make changes to the logging application so that the full date is being logged.

For information regarding strftime and strptime, see;

http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions http://strftime.org

UPDATE:

Ah, ziegfried has an important point. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the _time field, which is already in epoch.

...| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p")

Hope this helps somewhat anyway,

Kristian

link

answered 16 Apr '12, 03:49

kristian.kolb's gravatar image

kristian.kolb
9.8k615
accept rate: 33%

edited 16 Apr '12, 03:57

Cool , its working great. Thanks

(16 Apr '12, 05:35) Ravan
1

Here is how to create a new field by parsing and formatting a date value using Splunk's eval command:

... | eval newdatefield = strftime( strptime( myolddatefield, "%b %d %H:%M:%S" ), "%m/%d/%Y %I:%M:%S %p")
  • use strptime() to parse a timestamp value
  • use strftime()to format a timestamp value
link

answered 16 Apr '12, 04:01

ziegfried's gravatar image

ziegfried ♦
10.0k1618
accept rate: 52%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×21

Asked: 16 Apr '12, 03:23

Seen: 3,401 times

Last updated: 16 Apr '12, 05:35

Related questions

Timechart with Convert Timeformat

Convert field representing time to another time format

Convert TimeFormat

Arithmetic on time fields

Websphere logs timeformat

Timeformat not sorting properly

mktime/strptime error (not working as documented)

Issue trying to use ctime

Yet another time format question/request

Copyright © 2005-2012 Splunk Inc. All rights reserved.