Splunk Search

extract a string into readable datetime format

harshal_chakran
Builder

Hi,
I have string in a format as "YYYYMMDD.HHMM" i.e. 20140120.1815

I want to display this in any readable date time format which splunk understands as I have to do further analysis on the basis of time to show it on chart.

Kindly help

Tags (4)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

View solution in original post

jpass
Contributor

My answer is pretty much the same but you can combine strptime with strftime like this:

| eval newdate="20140120.1815" | eval time=strftime(strptime(newdate,"%Y%m%d.%H%M"),"%Y-%m-%d %T") | table time

output is: 2014-01-20 18:15:00

strptime() - converts your string into a timestamp (epoch or 'seconds since Thursday, 1 January 1970')

strftime() - converts epoch timestamp into the viewable format of your deepest desire

see time variables: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

see functions for eval / where: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This should work for you

* | head 1 | eval newdate="20140120.1815"| table newdate|eval time=strptime(newdate,"%Y%m%d.%H%M") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S.%3Q %p")

arya_alex
Engager

Perfect! I had to convert the Date variable of this format Wed Feb 05 UTC 2014 to 2014-02-05.I used the above command like this-
eval time=strptime(Date,"%a %b %d UTC %Y") | eval Time=strftime(time,"%Y-%m-%d")|

0 Karma

marina_rovira
Contributor

Hi there!

I cannot make it work, I have this:

 | head 1  | eval my_time="Sun Apr 30 23:46:53 GMT+00:00 2017" | table my_time | eval final=strptime(my_time, "%a %b %d %H:%M:%S %Z%z %Y") | eval Time=strftime(time,"%Y-%m-%d %H:%M:%S") | table my_time,final,Time 

I have to fields, StartTime and EndTime and I want to measure the difference between them. But I'm not getting even a timestamp conversion for one field.

Help please!
Thanks

PD: I think I don't have the epoch time neither. So my first problem is there 😞

0 Karma

harshal_chakran
Builder

Thanks somesoni2..
This worked like a charm

0 Karma

richgalloway
SplunkTrust
SplunkTrust

eval time=strptime(<time string>,"%Y%m%d.%H%M")

---
If this reply helps you, Karma would be appreciated.
0 Karma

lukejadamec
Super Champion

Not sure why the string is not extracted in human readable, but if you use ctime on the created epoch time it should work.
eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|convert timeformat="%Y%m%d.%H%M" ctime(time) as Time | table Time

0 Karma

harshal_chakran
Builder

Hi,
I have tried it, but couldn't able to get proper result.
My query is as below:

eval newdate="20140120.1815"|eval time=strptime(newdate,"%Y%m%d.%H%M")|table time

it shows output as: 1390221900.000000

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...