Using time variables

You can use variables in several different ways:

To define date and time formats using the strftime() and strptime() evaluation functions.
To describe timestamps in event data.
As arguments to the relative_time() and now() evaluation functions.

There are variables that produce dates, variables that produce times, and variables that produce both dates and times.

Date and time variables

The following table lists variables that produce both a date and a time.


Variable	Description
%c	The date and time in the current locale's format as defined by the server's operating system. For example, `Thu Jul 18 09:30:00 2022` for US English on Linux.
%+	The date and time with time zone in the current locale's format as defined by the server's operating system. For example, `Thu Jul 18 09:30:00 PDT 2022` for US English on Linux.

Time variables

The following table lists variables that produce a time.


Variable	Description
%Ez	Splunk-specific, timezone in minutes.
%H	Hour (24-hour clock) as a decimal number. Hours are represented by the values 00 to 23. Leading zeros are accepted but not required.
%I	Uppercase "i". Hour (12-hour clock) with the hours represented by the values 01 to 12. Leading zeros are accepted but not required. Use with %p to specify AM or PM for the 12-hour clock.
%k	Like %H, the hour (24-hour clock) as a decimal number. Leading zeros are replaced by a space, for example 0 to 23.
%M	Minute as a decimal number. Minutes are represented by the values 00 to 59. Leading zeros are accepted but not required.
%N	The number of subsecond digits. The default is %9N. You can specify %3N = milliseconds, %6N = microseconds, %9N = nanoseconds. Note: The %N variable is not supported in pipelines. To include subseconds in pipelines, use the format %Y-%m-%dT%H:%M:%S.%Q%Z.
%p	AM or PM.
%Q	The subsecond component of a UTC timestamp. The default is milliseconds, %3Q. Valid values are: %3Q = milliseconds, with values of 000-999 %6Q = microseconds, with values of 000000-999999 %9Q = nanoseconds, with values of 000000000-999999999
%S	Second as a decimal number, for example 00 to 59.
%s	The Unix Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). (1484993700 is Tue Jan 21 10:15:00 2022)
%T	The time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%X	The time in the format for the current locale. For US English the format for 9:30 AM is `9:30:00`.
%Z	The timezone abbreviation. For example `EST` for US Eastern Standard Time.
%z	The timezone offset from UTC, in hour and minute: +hhmm or -hhmm. For example, for 5 hours before UTC the values is `-0500` which is US Eastern Standard Time. Examples: Use %z to specify hour and minute, for example -0500 Use %:z to specify hour and minute separated by a colon, for example -5:00 Use %::z to specify hour minute and second separated with colons, for example -05:00:00 Use %:::z to specify hour only, for example -05
%%	A literal "%" character.

Date variables

The following table lists variables that produce a date.


Variable	Description
%F	Equivalent to %Y-%m-%d (the ISO 8601 date format).
%x	The date in the format of the current locale. For example, 7/13/2022 for US English.

Specifying days and weeks

The following table lists variables that produce values for days and weeks.


Variable	Description
%A	Full weekday name. (Sunday, ..., Saturday)
%a	Abbreviated weekday name. (Sun, ... ,Sat)
%d	Day of the month as a decimal number, includes a leading zero. (01 to 31)
%e	Like %d, the day of the month as a decimal number, but a leading zero is replaced by a space. (1 to 31)
%j	Day of year as a decimal number, includes a leading zero. (001 to 366)
%V	Week of the year. (1 to 52)
%w	Weekday as a decimal number. (0 = Sunday, ..., 6 = Saturday)

Specifying months

The following table lists variables that produce values for months.


Variable	Description
%b	Abbreviated month name. (Jan, Feb, etc.)
%B	Full month name. (January, February, etc.)
%m	Month as a decimal number. (01 to 12). Leading zeros are accepted but not required.

Specifying year

The following table lists variables that produce values for years.


Variable	Description
%y	Year as a decimal number, without the century. (00 to 99). Leading zeros are accepted but not required.
%Y	Year as a decimal number with century. For example, 2022.

Examples

The following table shows the results of some time format strings:


Time format string	Result
%Y-%m-%d	2021-12-31
%y-%m-%d	21-12-31
%b %d, %Y	Feb 11, 2022
%d%b '%y = %Y-%m-%d	23 Apr '22 = 2022-04-23

The following table shows the results of searches that use time variables:


Sample search	Result
`host="www1" \| eval WeekNo = strftime(_time, "%V")`	Creates a field called `WeekNo` and returns the values for the week numbers that correspond to the dates in the `_time` field.
`... \| eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")`	Creates a field called `mytime` and returns the converted timestamp values in the `_time` field. The values are stored in UNIX format and converted using the format specified, which is the ISO 8601 format. For example: 2022-04-13T14:00:15.000.

Documentation