What is the timeformat symbol to specify that AM/PM is included in the string? %P appears to work, but results show a difference when the 2 times are exactly the same. PM is simply being stripped instead of adding 12 hours.
source="WinEventLog:*" |eval time=_time|convert timeformat="%m/%d/%Y %H:%M:%S %P" MkTime(WinEventDate) as wtime|eval diff=wtime-time |where diff<0 |Convert ctime(time) as ctime |fields host, diff, WinEventDate, ctime, time, wtime
Thanks
When the filed type is string with AM/PM Format
This Solution work for me :
strftime(strptime(replace(FirstDepositDate,substr(FirstDepositDate,-2),""),"%m/%d/%Y"),"%m/%d/%Y"),
%I designates the hour for 12-hr timing format and %H designates the hour for 24-hr timing format. %P needs to be at the end to pick up the am/pm string at the end.
If using a 12-HR time format, 08:08:30 PM would be:
"%I:%M:%S %P"
If using a 24-HR time format, 20:08:30 PM would be:
"%H:%M:%S %P"
Any answer on this? I am having the same issue with 5:18:30 PM showing as 05:18:30 with the following search:
eval time=strftime(round(strptime(full_Time, "%H:%M:%S %p")), "%H:%M:%S")
Here is a Splunk Reference Guide: http://docs.splunk.com/images/1/17/4.2.x_search_language_refcard.pdf
This has a number of wonderfully useful things, the past page devoted to REGEX and Splunk STRPTIME formats.
This syntax works on my Splunk ver. 4.2.2 and converts 24 to 12 hours using %I instead of %H
%Y-%m-%d %I:%M%P
example
2012-02-01 05:47pm
Open Group's publication says %p (not sure if lower case matters).
http://www.opengroup.org/onlinepubs/009695399/functions/strptime.html
%p The locale's equivalent of a.m or p.m.
Can you post an example event that you are having problems with?
Good reference. Thought it might be that I was using an upper case H, but tried all variations of UC and LC H with any parameter related to a 12 hour clock. UC H and UC or LC p are the only ones that returned any result, and they always ignore PM.
Example:
10/18/10 08:08:30 PM