Splunk Search

timeformat for AM/PM in MKTime

rgcox1
Communicator

What is the timeformat symbol to specify that AM/PM is included in the string? %P appears to work, but results show a difference when the 2 times are exactly the same. PM is simply being stripped instead of adding 12 hours.

source="WinEventLog:*" |eval time=_time|convert timeformat="%m/%d/%Y %H:%M:%S %P" MkTime(WinEventDate) as wtime|eval diff=wtime-time |where diff<0 |Convert ctime(time) as ctime |fields host, diff, WinEventDate, ctime, time, wtime

Thanks

Tags (1)
0 Karma

liadal
New Member

When the filed type is string with AM/PM Format

This Solution work for me :
strftime(strptime(replace(FirstDepositDate,substr(FirstDepositDate,-2),""),"%m/%d/%Y"),"%m/%d/%Y"),

0 Karma

griffinpair
Path Finder

%I designates the hour for 12-hr timing format and %H designates the hour for 24-hr timing format. %P needs to be at the end to pick up the am/pm string at the end.

If using a 12-HR time format, 08:08:30 PM would be:

"%I:%M:%S %P"

If using a 24-HR time format, 20:08:30 PM would be:

"%H:%M:%S %P"

griffinpair
Path Finder

Any answer on this? I am having the same issue with 5:18:30 PM showing as 05:18:30 with the following search:

eval time=strftime(round(strptime(full_Time, "%H:%M:%S %p")), "%H:%M:%S")

0 Karma

jluste
Path Finder

Here is a Splunk Reference Guide: http://docs.splunk.com/images/1/17/4.2.x_search_language_refcard.pdf

This has a number of wonderfully useful things, the past page devoted to REGEX and Splunk STRPTIME formats.

alemin
Engager

This syntax works on my Splunk ver. 4.2.2 and converts 24 to 12 hours using %I instead of %H

%Y-%m-%d %I:%M%P

example

2012-02-01 05:47pm

araitz
Splunk Employee
Splunk Employee

Open Group's publication says %p (not sure if lower case matters).

http://www.opengroup.org/onlinepubs/009695399/functions/strptime.html

%p    The locale's equivalent of a.m or p.m.

Can you post an example event that you are having problems with?

rgcox1
Communicator

Good reference. Thought it might be that I was using an upper case H, but tried all variations of UC and LC H with any parameter related to a 12 hour clock. UC H and UC or LC p are the only ones that returned any result, and they always ignore PM.

0 Karma

rgcox1
Communicator

Example:

10/18/10 08:08:30 PM

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...