Related Answers
Download topic as PDF
Date and time format variables
This topic lists the variables that you can use to define time formats in the evaluation functions strftime() and strptime(). You can also use these variables to describe timestamps in event data.
Additionally, you can use the relative_time() and now() time functions as arguments.
For more information about working with dates and time, see Time modifiers for search and About searching with time in the Search Manual.
Refer to the list of tz database time zones for all permissible time zone values. For more information about how the Splunk software determines a time zone and the tz database, see Specify time zones for timestamps in Getting Data In.
Date and time variables
| Variable | Description |
|---|---|
| %c | The date and time in the current locale's format as defined by the server's operating system. For example, Mon Jul 13 09:30:00 2017 for US English on Linux.
|
| %+ | The date and time with time zone in the current locale's format as defined by the server's operating system. For example, Mon Jul 13 09:30:00 PDT 2017 for US English on Linux.
|
Time variables
| Variable | Description |
|---|---|
| %Ez | Splunk-specific, timezone in minutes. |
| %H | Hour (24-hour clock) as a decimal number. Hours are represented by the values 00 to 23. Leading zeros are accepted but not required. |
| %I | Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. |
| %k | Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are replaced by a space, for example 0 to 23. |
| %M | Minute as a decimal number. Minutes are represented by the values 00 to 59. Leading zeros are accepted but not required. |
| %N | Subseconds with width. (%3N = milliseconds, %6N = microseconds, %9N = nanoseconds) |
| %p | AM or PM. |
| %Q | The subsecond component of 2017-11-30 23:59:59.999 UTC.
%3Q = milliseconds, with values of 000-999. %6Q = microseconds, with values of 000000-999999. %9Q = nanoseconds, with values of 000000000-999999999. |
| %S | Second as a decimal number, for example 00 to 59. |
| %s | The Unix Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Sat Jan 21 10:15:00 2017) |
| %T | The time in 24-hour notation (%H:%M:%S). For example 23:59:59. |
| %X | The time in the format for the current locale. For US English the format for 9:30 AM is 9:30:00.
|
| %Z | The timezone abbreviation. For example EST for US Eastern Standard Time.
|
| %z | The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is -0500 which is US Eastern Standard Time.
Examples:
|
| %% | A literal "%" character. |
Date variables
| Variable | Description |
|---|---|
| %F | Equivalent to %Y-%m-%d (the ISO 8601 date format). |
| %x | The date in the format of the current locale. For example, 7/13/2017 for US English. |
Specifying days and weeks
| Variable | Description |
|---|---|
| %A | Full weekday name. (Sunday, ..., Saturday) |
| %a | Abbreviated weekday name. (Sun, ... ,Sat) |
| %d | Day of the month as a decimal number, includes a leading zero. (01 to 31) |
| %e | Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31) |
| %j | Day of year as a decimal number, includes a leading zero. (001 to 366) |
| %V | Week of the year. (1 to 52) |
| %w | Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday) |
Specifying months
| Variable | Description |
|---|---|
| %b | Abbreviated month name. (Jan, Feb, etc.) |
| %B | Full month name. (January, February, etc.) |
| %m | Month as a decimal number. (01 to 12). Leading zeros are accepted but not required. |
Specifying year
| Variable | Description |
|---|---|
| %y | Year as a decimal number, without the century. (00 to 99). Leading zeros are accepted but not required. |
| %Y | Year as a decimal number with century. For example, 2017. |
Examples
| Time format string | Result |
|---|---|
| %Y-%m-%d | 2017-12-31 |
| %y-%m-%d | 17-12-31 |
| %b %d, %Y | Feb 11, 2017 |
| q|%d%b '%y = %Y-%m-%d| | q|23 Apr '17 = 2017-04-23| |
|
|
Returns the week number values in the WeekNo field. |
|
PREVIOUS Statistical and charting functions |
NEXT Time modifiers |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Comments
Hi All,
How do i convert epoch time to readable time?
my formats are in:
"EdgeEndTimestamp":1550016131456000000,
"EdgeStartTimestamp":1550016101456000000,"
How do you audit the Domain Controller if that is what is generating the time? Is there a script to use to get those results? Our policy is it must be within 1 minute of accuracy to protect the integrity of all the audits. So how can I audit the internal system clocks that generate the time stamps?
Thanks Masonmorales!
TIME_FORMAT for rfc3339 date format (example: 2018-11-03T16:47:28.254283-04:00)
%FT%T.%6Q%:z
Hope this helps others!
Anirbandasdeb
Thanks for the correction. I added the %V variable to the list of day and week variables and included it in the Examples section. I also added an example to the strftime(X) function.
Correction to the code in my previous [below] comment:
The following should work:
| makeresults 1
| eval WeekNo = strftime(_time, "%V"), timestamp = strftime(_time, "%Y-%m-%d %H:%M:%S.%N")
@Lstewart
Please mention the %V variable. It extracts the "Week No. of Year" from the epoch timestamp.
Ex.: | eval Week = strftime(strptime(_time, "%Y-%m-%d %H:%M:%S.%N"), "%V")
I have USER IDs and TIME_ELAPSED with 100 rows. Time Elapsed is in string format. Now i want to take total time elapsed per user id and want to display it in a graphical view.
Please help and provide your input.
It appears that splunk supports modifier flavs after the "%", but I do not see any mention of this on this page. For example:
- (hyphen) Do not pad the field
_ (underscore) Pad with spaces
0 (zero) Pad with zeroes
^ Upper case (where possible)
# Opposite case (where possible)
Hi Adam
Thank you for your feedback on the time format variables. The only difference between %Q and %N is how many digits they default to if you don’t include a field width.
Suppose you specify this:
… |stats count| eval _raw=strftime(12345.123456789,"%N %q %Q”)
It would return this:
123456000 123456 123
Note that even though %N defaults to 9 digits, currently only 6 get real values (the others are the zeros) because of the range of UNIX’s “struct timeval”
If you specify an explicit field width, these 2 format variables return the same values.
If you specify 5 as the explicit field width for each of the variables, this search:
…|stats count| eval _raw=strftime(12345.123456789,"%5N %5q %5Q”)
Returns this:
12345 12345 12345
Can some more clarification be made with regards to the difference between %N and %Q?
Dhillny
You can always use the where command to filter out events in a certain time range and the relative_time function.
E.g.
| where _time<relative_time(now(),”-30m”)
OR
_time > relative_time(now(),”-15m”)
These would filter out events between 15 and 30 minutes ago.
is there a way to parse long and short year format in one sourcetype? e.g. we have 01-Nov-16 and 01-Nov-2016 in the log and only one could be recognised properly.
Is there a way to exclude a time range from a scheduled report? Please provide example if so, thanks.
Cgardiner
Thank you for the examples!
I have added them to the documentation.
For reference on alternate timezone formats:
%z - hour and minute (e.g. +0500)
%:z - hour and minute separated with a colon (e.g. +05:00)
%::z - hour minute and second separated with colons (e.g. +05:00:00)
%:::z - hour only (e.g. +05)
It seems that we also can "extract" tab characters as %t, if a tab appears in your event data.
Hello Splunk team !<br /><br />What about the dates before the 1970/1/1 ?<br /><br />Greg
Hello jlks
You would use the strftime function. Since your times include nanoseconds, you must convert them to seconds using the pow function. See the Usage section in the strftime function for an example of how to do that. Here is the link to that documentation: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29