Splunk Search

extract a string into readable datetime format

harshal_chakran
Builder

Hi,
I have string in a format as "YYYYMMDD.HHMM" i.e. 20140120.1815

I want to display this in any readable date time format which splunk understands as I have to do further analysis on the basis of time to show it on chart.

Kindly help

Tags (4)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

View solution in original post

jpass
Contributor

My answer is pretty much the same but you can combine strptime with strftime like this:

| eval newdate="20140120.1815" | eval time=strftime(strptime(newdate,"%Y%m%d.%H%M"),"%Y-%m-%d %T") | table time

output is: 2014-01-20 18:15:00

strptime() - converts your string into a timestamp (epoch or 'seconds since Thursday, 1 January 1970')

strftime() - converts epoch timestamp into the viewable format of your deepest desire

see time variables: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

see functions for eval / where: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

arya_alex
Engager

Perfect! I had to convert the Date variable of this format Wed Feb 05 UTC 2014 to 2014-02-05.I used the above command like this-
eval time=strptime(Date,"%a %b %d UTC %Y") | eval Time=strftime(time,"%Y-%m-%d")|

0 Karma

marina_rovira
Contributor

Hi there!

I cannot make it work, I have this:

 | head 1  | eval my_time="Sun Apr 30 23:46:53 GMT+00:00 2017" | table my_time | eval final=strptime(my_time, "%a %b %d %H:%M:%S %Z%z %Y") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S") | table my_time,final,Time 

I have to fields, StartTime and EndTime and I want to measure the difference between them. But I'm not getting even a timestamp conversion for one field.

Help please!
Thanks

PD: I think I don't have the epoch time neither. So my first problem is there 😞

0 Karma

harshal_chakran
Builder

Thanks somesoni2..
This worked like a charm

0 Karma

richgalloway
SplunkTrust
SplunkTrust

eval time=strptime(<time string>,"%Y%m%d.%H%M")

---
If this reply helps you, Karma would be appreciated.
0 Karma

lukejadamec
Super Champion

Not sure why the string is not extracted in human readable, but if you use ctime on the created epoch time it should work.
eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|convert timeformat="%Y%m%d.%H%M" ctime(time) as Time | table Time

0 Karma

harshal_chakran
Builder

Hi,
I have tried it, but couldn't able to get proper result.
My query is as below:

eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|table time

it shows output as: 1390221900.000000

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...