I am trying to reformat a date/time stamp field from within my output.
Here is the current format: 21:32:31-Dec 08 2011
New format: 12/08/2011 21:32:31 AM/PM
thanks.
Convert it to an intermediate time_t
and back again, using eval's
strptime
and strftime
functions. Something like:
blah blah blah | eval myfield=strftime(strptime(myfield,"%H:%M:S-%b %d %Y"),"%M/%D/%Y %I:%M:%S %P"))
Does Splunk recognize this as a timestamp? For my answer below, I will assume that Splunk extracted the date into the _time field. An easy way to do this is to create a new field with eval:
<yoursearchhere> | eval formattedTime = strftime(_time, "%D %r") | table formattedTime <otherfieldshere>
Once you have created the new field, you can use it however you like; I just supplied the table command as an example. Google "strftime" for more formatting options.
If the datetime is contained in a different field, substitute that field name for _time. If Splunk didn't extract the field for you, post a bit more of the event (showing the timestamp in context) and someone will be able to help you extract it.