Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Date and time format variables

This topic lists the variables that you can use to define time formats in the evaluation functions strftime() and strptime(). You can also use these variables to describe timestamps in event data.

Additionally, you can use the relative_time() and now() time functions as arguments.

For more information about working with dates and time, see Time modifiers for search and About searching with time in the Search Manual.

Refer to the list of tz database time zones for all permissible time zone values. For more information about how the Splunk software determines a time zone and the tz database, see Specify time zones for timestamps in Getting Data In.

Date and time variables

Variable Description
%c The date and time in the current locale's format as defined by the server's operating system. For example, Mon Jul 13 09:30:00 2017 for US English on Linux.
%+ The date and time with time zone in the current locale's format as defined by the server's operating system. For example, Mon Jul 13 09:30:00 PDT 2017 for US English on Linux.

Time variables

Variable Description
%Ez Splunk-specific, timezone in minutes.
%H Hour (24-hour clock) as a decimal number. Hours are represented by the values 00 to 23. Leading zeros are accepted but not required.
%I Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required.
%k Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are replaced by a space, for example 0 to 23.
%M Minute as a decimal number. Minutes are represented by the values 00 to 59. Leading zeros are accepted but not required.
%N Subseconds with width. (%3N = milliseconds, %6N = microseconds, %9N = nanoseconds)
%p AM or PM.
%Q The subsecond component of 2017-11-30 23:59:59.999 UTC.

%3Q = milliseconds, with values of 000-999. %6Q = microseconds, with values of 000000-999999. %9Q = nanoseconds, with values of 000000000-999999999.

%S Second as a decimal number, for example 00 to 59.
%s The Unix Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Sat Jan 21 10:15:00 2017)
%T The time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%X The time in the format for the current locale. For US English the format for 9:30 AM is 9:30:00.
%Z The timezone abbreviation. For example EST for US Eastern Standard Time.
%z The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is -0500 which is US Eastern Standard Time.

Examples:

  • Use %z to specify hour and minute, for example -0500
  • Use %:z to specify hour and minute separated by a colon, for example -5:00
  • Use %::z to specify hour minute and second separated with colons, for example -05:00:00
  • Use %:::z to specify hour only, for example -05
%% A literal "%" character.

Date variables

Variable Description
%F Equivalent to %Y-%m-%d (the ISO 8601 date format).
%x The date in the format of the current locale. For example, 7/13/2017 for US English.

Specifying days and weeks

Variable Description
%A Full weekday name. (Sunday, ..., Saturday)
%a Abbreviated weekday name. (Sun, ... ,Sat)
%d Day of the month as a decimal number, includes a leading zero. (01 to 31)
%e Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31)
%j Day of year as a decimal number, includes a leading zero. (001 to 366)
%V Week of the year. (1 to 52)
%w Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday)

Specifying months

Variable Description
%b Abbreviated month name. (Jan, Feb, etc.)
%B Full month name. (January, February, etc.)
%m Month as a decimal number. (01 to 12). Leading zeros are accepted but not required.

Specifying year

Variable Description
%y Year as a decimal number, without the century. (00 to 99). Leading zeros are accepted but not required.
%Y Year as a decimal number with century. For example, 2017.

Examples

Time format string Result
%Y-%m-%d 2017-12-31
%y-%m-%d 17-12-31
%b %d, %Y Feb 11, 2017
q|%d%b '%y = %Y-%m-%d| q|23 Apr '17 = 2017-04-23|

host="www1" | eval WeekNo = strftime(_time, "%V")

 Returns the week number values in the WeekNo field.
Last modified on 20 November, 2018
PREVIOUS
Statistical and charting functions 		  NEXT
Time modifiers

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters