Splunk Search

How do I write a search to change the format of a date from "1942-01-24" to "24/01/1942"?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I have a date in one of my searches which is in this format: 1942-01-24

Could someone tell me please if is it possible to change this to: 24/01/1942

Many thanks and kind Regards

Chris

0 Karma
1 Solution

knielsen
Contributor

Another way of converting would be:

| stats count | eval date="1942-01-24" | eval date=replace(date,"(\d+)-(\d+)-(\d+)","\3/\2/\1") | table date

Hth,
Kai.

View solution in original post

woodcock
Esteemed Legend

Like this:

 | stats count | eval date="1942-01-24" | rex mode=sed field=date "s/(\d+)-(\d+)-(\d+)/\3\/\2\/\1/" | table date

IRHM73
Motivator

Hi @woodcock, thank you for taking the time to reply to my post. Your solution works great.

Many thanks and kind regards

Chris

0 Karma

knielsen
Contributor

Another way of converting would be:

| stats count | eval date="1942-01-24" | eval date=replace(date,"(\d+)-(\d+)-(\d+)","\3/\2/\1") | table date

Hth,
Kai.

IRHM73
Motivator

Hi @kai, thank you for taking the time to reply to my post.

This works perfectly.

Many thanks and kindest regards

Chris

0 Karma

HiroshiSatoh
Champion

What with this?

・・・・|eval a="2015-10-02"|eval b=strftime(strptime(a,"%Y-%m-%d"),"%d/%m/%Y")|eval c=substr(a,9,2)+"/"+substr(a,6,2)+"/"+substr(a,1,4)|table a b c

However, use the C because that can not be calculated in 1942.

0 Karma

IRHM73
Motivator

Hi, thank you for this.

I changed the date you entered to my field name to get the raw data and I've included a, b and c in my table but unfortunately this doesn't return any data.

Is it also possible that the output could be displayed in one field rather than a, b and c.

Many thanks and kind regards

Chris

0 Karma

HiroshiSatoh
Champion

Normally I think it is correct to convert using the strptime.
However, the date of the previous 1970 this function does not seem to work.

0 Karma

IRHM73
Motivator

Many thanks, hopefully someone else may be able to look at this.

Kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...