Solved: extract date with characters between

sbsbb · ‎01-22-2013

I try to transform a date string, into a date, to enable splunk to sort it.

Here is a sample :
2013-01-17T09:35:49Z

Hi tried :
eval n=strftime(field, " %Y-%m-%dT%H:%M:%SZ")

But it doesn't work. Why ? What would be the best way to do this ?
Is there a way to automate the conversion at searchtime ?

Damien_Dallimor · ‎01-22-2013

If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time

View solution in original post

Damien_Dallimor · ‎01-22-2013

If I understand correctly you want to parse the string "2013-01-17T09:35:49Z" into a time value , so you should use str*ptime not strf*time

sbsbb · ‎08-15-2014

At index Time, splunk is able to reconize Timeformat automatically, is there a way to use the same recognition an search time, with "convert" for example ?

I have 4 different Timeformat for the same field, and I want to be able to convert it in one way...:
2014-08-15T10:13:00+02:00
2014-08-15T10:13:00.000+02:00
2014-08-15T08:41:36Z
2014-08-15T08:41:36.000Z

if I use
| convert auto()

I only get the year...
But somehow Splunk is able to handle this by indexing, maybe a function is missing being able to use it a search time ?

sbsbb · ‎01-22-2013

It was because of a leading space character... it works now, thanks

Damien_Dallimor · ‎01-22-2013

This worked fine for me, I think you have an accidental space character before the "%Y" :

...| eval foo="2013-01-17T09:35:49Z" | eval goo=strptime(foo,"%Y-%m-%dT%H:%M:%SZ") | table goo

sbsbb · ‎01-22-2013

Ok, thanks, but
eval n=strptime(field, " %Y-%m-%dT%H:%M:%SZ")
still returns no value

extract date with characters between

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life