Splunk Search

How to convert the date which is in text format (YYYY-MM-DD HH:MM:SS) to a new field called "month_name" (MMM)

tejasbharadwaj
New Member

Hello,

I have a field name called "opened_at" where the date in this field is in text format (YYYY-MM-DD HH:MM:SS). Now, using "opened_at" field, I need to create a new field called "month_name" which should display only month in (MMM) format.

Example:- If my date in the field "opened_at" is in text format (2017-05-31 10:20:10), then the new field should be populated as "month_name" and it should show the result as "May".

Please help!

Tags (1)
0 Karma
1 Solution

dineshraj9
Builder

If you already have a field named opened_at extracted then do it this way -

<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")

Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

A combination of strptime to convert the existing time into an epoch, then a strftime to convert it to the format you want.

... | eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")

Should do it.

A run anywhere example:

| makeresults 
| eval opened_at = "2017-05-31 10:20:10"
| eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")

Richfez
SplunkTrust
SplunkTrust

Also, "%b" could be used at the end to get the 3-character month abbreviation.

Links for reference:
Eval Date and Time functions
Common Time Format Variables

0 Karma

dineshraj9
Builder

If you already have a field named opened_at extracted then do it this way -

<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")

Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...