Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to change zh-CN to 24 hours format?

itgrc
Engager
‎12-16-2013 01:55 AM

I don't want to change zh-CN to en-GB,I only want to change zh-CN from 12 hours format to 24 hours format?
Any help?

Tags (2)
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-14-2017 06:33 AM

Koshyk's answer helps. I did some searching and couldn't make heads or tails of what I'd seen, but with that - maybe all that's needed is some combination of strptime/strftime. Unfortunately, without a starting example I'll just have to guess.

Assume you have a timestamp "2017-05-14:23:01:01", this run-anywhere example will convert it into an interim format (epoch) and then back into a formatted timestamp with hours from 0-11 and an AM/PM indicator. (I also remove an extra colon, because I can...)

| makeresults 
| eval mydate="2017-05-14:23:01:01" 
| eval myconverter = strptime(mydate, "%Y-%m-%d:%H:%M:%S")
| eval myconversion = strftime(myconverter, "%Y-%m-%d %l:%M:%S %p")

I recommend running this one step at a time and examining the output - when you only run the first three lines, you'll see the myconverter value is formatted as a date time - but this is only a display thing that Splunk is doing to make it pretty. When you add the fourth line, since myconverter is now being used elsewhere it will show the epoch value for it (at least that's the only explanation I have for why).

You could also change it in one step:

| makeresults 
| eval mydate="2017-05-14:23:01:01" 
| fieldformat mynewdate = strftime(strptime(mydate, "%Y-%m-%d:%H:%M:%S"), "%Y-%m-%d %l:%M:%S %p")

AND this only does a fieldformat on it which is a slightly different thing - what this means is it'll keep the value as an epoch value which allows math on it far easier, but display it the way you want.

Play with those, hopefully one will help you! You may want to play with more date and time format variables, too.

Lastly, if you have problems be sure to post back with a few examples of your events/timestamps and I or someone else can provide the exact time/date variable string to you!

Happy Splunking,
Rich

0 Karma
Reply

koshyk
Super Champion
‎05-13-2017 11:42 PM

I'm not expert into zh-CN, but I thought it had HH format (24h). So the only options i can think of is
- Change the URL to en-GB to switch to GB format (i.e. Override the browser locale)
- Create a new app in etc/apps (eg MYTIMEAPP). copy zh-CN renderer html file and edit the timestamp format. Detailed example here
- UI internationalisation. This is full solution, but need some time and effort

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-13-2017 06:55 PM

I'm sure many people would like to help but may not be able to grasp the problem.

Could you provide a little more context and a few examples? Is this data you already have ingested or is it still on disk in a log file somewhere? For the examples, can you provide both a representative sampling of things you have plus what you'd like it to look like?

Thanks!

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...