- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: VALUE FORMAT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i have a value like this in a field 2018067155420 and i want to format it with this format : yyyymmddhhmmss so
could you help me please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| makeresults
| eval date_time = 20180627155420
| eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i have wrote this but it doesnt works
index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
there is a mistake somewhere??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, like I said, you need to adjust it to your field names. So replace date_time with the field that contains your input. So looking at your example that would be LastLogon.
index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are the best! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@jip31,
You can add these attributes in your props.conf:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf
TIME_FORMAT =
TIME_PREFIX =
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
not really
i just want to format this value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by format this value? Can you give an example of the output you expect of that formatting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
This value 20180627155420 correspond to the date 2018 06 27 and the hour 15 54 20
i would like to have finally an EVAL which does 27/06/2018 15:54
thanks
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
