I have string like this 08Aug2017 10:12:55 CDT"
I want date format like = 08-Aug-2017 10:12:55 CDT
@prabu116, you can use replace()
function with eval
command. Following is run anywhere search, you can use your own base search and field name
| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
And a fourth answer using a different method (only the rex
command is really the answer part):
| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"
One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex
command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.
The right way to do it is to convert to time_t
(AKA "epoch") and KEEP it that way. Then use fieldformat
to make it look pretty:
... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")
try this:
|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")
it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
@prabu116, you can use replace()
function with eval
command. Following is run anywhere search, you can use your own base search and field name
| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
This is work fine. Thanks a lot niletnilay
Glad it worked. You got plenty of options to choose from 🙂