Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Date and time format variables

This topic lists the variables that you can use to define time formats in the evaluation functions, strftime() and strptime(). You can also use these variables to describe timestamps in event data.

Additionally, you can use the relative_time() and now() time functions as arguments.

For more information about working with dates and time, see Time modifiers for search and About searching with time in the Search Manual.

Refer to the list of tz database time zones for all permissible time zone values. For more information about how the Splunk software determines a time zone and the tz database, see Specify time zones for timestamps in Getting Data In.

Subsecond time variables such as %N and %Q do not apply to metrics indexes, which are restricted to a second timestamp resolution.

Date and time variables

Variable Description
%c The date and time in the current locale's format as defined by the server's operating system. For example, Thu Jul 18 09:30:00 2019 for US English on Linux.
%+ The date and time with time zone in the current locale's format as defined by the server's operating system. For example, Thu Jul 18 09:30:00 PDT 2019 for US English on Linux.

Time variables

Variable Description
%Ez Splunk-specific, timezone in minutes.
%f Microseconds as a decimal number.
%H Hour (24-hour clock) as a decimal number. Hours are represented by the values 00 to 23. Leading zeros are accepted but not required.
%I Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required.
%k Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are replaced by a space, for example 0 to 23.
%M Minute as a decimal number. Minutes are represented by the values 00 to 59. Leading zeros are accepted but not required.
%N The number of subsecond digits. The default is %9N. You can specify %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.
%p AM or PM.
%Q The subsecond component of a UTC timestamp. The default is milliseconds, %3Q. Valid values are:
  •  %3Q = milliseconds, with values of 000-999
  •  %6Q = microseconds, with values of 000000-999999
  •  %9Q = nanoseconds, with values of 000000000-999999999
%S Second as a decimal number, for example 00 to 59.
%s The Unix Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Tue Jan 21 10:15:00 2020)
%T The time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%X The time in the format for the current locale. For US English the format for 9:30 AM is 9:30:00.
%Z The timezone abbreviation. For example EST for US Eastern Standard Time.
%z The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is -0500 which is US Eastern Standard Time.

Examples:

  • Use %z to specify hour and minute, for example -0500
  • Use %:z to specify hour and minute separated by a colon, for example -5:00
  • Use %::z to specify hour minute and second separated with colons, for example -05:00:00
  • Use %:::z to specify hour only, for example -05
%% A literal "%" character.

Date variables

Variable Description
%F Equivalent to %Y-%m-%d (the ISO 8601 date format).
%x The date in the format of the current locale. For example, 7/13/2019 for US English.

Specifying days and weeks

Variable Description
%A Full weekday name. (Sunday, ..., Saturday)
%a Abbreviated weekday name. (Sun, ... ,Sat)
%d Day of the month as a decimal number, includes a leading zero. (01 to 31)
%e Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31)
%j Day of year as a decimal number, includes a leading zero. (001 to 366)
%V (or %U) Week of the year. The %V variable starts the count at 1, which is the most common start number. The %U variable starts the count at 0.
%w Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday)

Specifying months

Variable Description
%b Abbreviated month name. (Jan, Feb, etc.)
%B Full month name. (January, February, etc.)
%m Month as a decimal number. (01 to 12). Leading zeros are accepted but not required.

Specifying year

Variable Description
%y Year as a decimal number, without the century. (00 to 99). Leading zeros are accepted but not required.
%Y Year as a decimal number with century. For example, 2020.

Examples

The following table shows the results of some time format strings:

Time format string Result
%Y-%m-%d 2019-12-31
%y-%m-%d 19-12-31
%b %d, %Y Feb 11, 2020
%d%b '%y = %Y-%m-%d 23 Apr '20 = 2020-04-23

The following table shows the results of searches that use time variables:

Sample search Result

host="www1" | eval WeekNo = strftime(_time, "%V")

Creates a field called WeekNo and returns the values for the week numbers that correspond to the dates in the _time field.

... | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")

Creates a field called mytime and returns the converted timestamp values in the _time field. The values are stored in UNIX format and converted using the format specified, which is the ISO 8601 format. For example: 2020-04-13T14:00:15.000.

Last modified on 12 October, 2021
PREVIOUS
Time functions
  NEXT
Time modifiers

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters