Splunk Search

How to convert string date format to other date format?

prabu116
Engager

I have string like this 08Aug2017 10:12:55 CDT"

I want date format like = 08-Aug-2017 10:12:55 CDT

Tags (1)
0 Karma
1 Solution

niketn
Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

And a fourth answer using a different method (only the rex command is really the answer part):

| makeresults | eval date="08Aug2017 10:12:55 CDT"
| rex field=date mode=sed "s/(\d\d)(\w{3})(\d{4})/\1-\2-\3/"

One reason Splunk is great is that there are so many ways to do something. I thought it would be good to provide multiple ways here because we can all learn from what others do. I think that all the previous answers are all good and worthy of looking at. Mine is very simple, relying only on a single rex command, but if you need something more complicated that what it will do, I think that woodcock's and cmerriman's answers can give you the most flexibility if you need to go with a format that differs more than you have described. I'm up-voting those answers.

woodcock
Esteemed Legend

The right way to do it is to convert to time_t (AKA "epoch") and KEEP it that way. Then use fieldformat to make it look pretty:

... | eval MyDate=strptime(MyDate,"%d%b%Y %H:%M:%S %Z")
| fieldformat MyDate = strftime(MyDate, "%d-%b-%Y %H:%M:%S %Z")

cmerriman
Super Champion

try this:

|eval date=strftime(strptime(dateField,"%d%b%Y %H:%M:%S %Z"),"%d-%b-%Y %H:%M:%S %Z")

it will basically put your string into epoch time and then put it back as a date string in the format you want.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

niketn
Legend

@prabu116, you can use replace() function with eval command. Following is run anywhere search, you can use your own base search and field name

| makeresults
| eval date="08Aug2017 10:12:55 CDT"
| eval date=replace(date,"^(\d{2})(\w{3})","\1-\2-")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

prabu116
Engager

This is work fine. Thanks a lot niletnilay

0 Karma

niketn
Legend

Glad it worked. You got plenty of options to choose from 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...