Splunk® Cloud Services

SPL2 Search Manual

Using time variables

You can use variables in several different ways:

There are variables that produce dates, variables that produce times, and variables that produce both dates and times.

Date and time variables

The following table lists variables that produce both a date and a time.

Variable Description
%c The date and time in the current locale's format as defined by the server's operating system. For example, Thu Jul 18 09:30:00 2022 for US English on Linux.
%+ The date and time with time zone in the current locale's format as defined by the server's operating system. For example, Thu Jul 18 09:30:00 PDT 2022 for US English on Linux.

Time variables

The following table lists variables that produce a time.

Variable Description
%Ez Splunk-specific, timezone in minutes.
%H Hour (24-hour clock) as a decimal number. Hours are represented by the values 00 to 23. Leading zeros are accepted but not required.
%I Uppercase "i". Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. Use with %p to specify AM or PM for the 12-hour clock.
%k Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are replaced by a space, for example 0 to 23.
%M Minute as a decimal number. Minutes are represented by the values 00 to 59. Leading zeros are accepted but not required.
%N The number of subsecond digits. The default is %9N. You can specify %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.
%p AM or PM.
%Q The subsecond component of a UTC timestamp. The default is milliseconds, %3Q. Valid values are:
  •  %3Q = milliseconds, with values of 000-999
  •  %6Q = microseconds, with values of 000000-999999
  •  %9Q = nanoseconds, with values of 000000000-999999999
%S Second as a decimal number, for example 00 to 59.
%s The Unix Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Tue Jan 21 10:15:00 2022)
%T The time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%X The time in the format for the current locale. For US English the format for 9:30 AM is 9:30:00.
%Z The timezone abbreviation. For example EST for US Eastern Standard Time.
%z The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is -0500 which is US Eastern Standard Time.

Examples:

  • Use %z to specify hour and minute, for example -0500
  • Use %:z to specify hour and minute separated by a colon, for example -5:00
  • Use %::z to specify hour minute and second separated with colons, for example -05:00:00
  • Use %:::z to specify hour only, for example -05
%% A literal "%" character.

Date variables

The following table lists variables that produce a date.

Variable Description
%F Equivalent to %Y-%m-%d (the ISO 8601 date format).
%x The date in the format of the current locale. For example, 7/13/2022 for US English.

Specifying days and weeks

The following table lists variables that produce values for days and weeks.

Variable Description
%A Full weekday name. (Sunday, ..., Saturday)
%a Abbreviated weekday name. (Sun, ... ,Sat)
%d Day of the month as a decimal number, includes a leading zero. (01 to 31)
%e Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31)
%j Day of year as a decimal number, includes a leading zero. (001 to 366)
%V Week of the year. (1 to 52)
%w Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday)

Specifying months

The following table lists variables that produce values for months.

Variable Description
%b Abbreviated month name. (Jan, Feb, etc.)
%B Full month name. (January, February, etc.)
%m Month as a decimal number. (01 to 12). Leading zeros are accepted but not required.

Specifying year

The following table lists variables that produce values for years.

Variable Description
%y Year as a decimal number, without the century. (00 to 99). Leading zeros are accepted but not required.
%Y Year as a decimal number with century. For example, 2022.

Examples

The following table shows the results of some time format strings:

Time format string Result
%Y-%m-%d 2021-12-31
%y-%m-%d 21-12-31
%b %d, %Y Feb 11, 2022
%d%b '%y = %Y-%m-%d 23 Apr '22 = 2022-04-23

The following table shows the results of searches that use time variables:

Sample search Result

host="www1" | eval WeekNo = strftime(_time, "%V")

Creates a field called WeekNo and returns the values for the week numbers that correspond to the dates in the _time field.

... | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")

Creates a field called mytime and returns the converted timestamp values in the _time field. The values are stored in UNIX format and converted using the format specified, which is the ISO 8601 format. For example: 2022-04-13T14:00:15.000.

See also

Related information
Timestamps and time ranges
Time modifiers
Specifying relative time
Time zones
Last modified on 31 October, 2024
Specifying time spans   Time zones

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters