Skip to main content
Sumo Logic

formatDate

The formatDate operator allows you to format dates in log files as a string in the format you require, such as US date formatting, European formatting, timestamps, etc. 

Syntax

formatDate(date [, format [, timeZone]]) as alias

Returns

A date String, in US-style date format if no format is specified. The date is in the local timezone of the user if no timeZone is specified.

Parameters

  • date - milliseconds, as a Long. You can also use formatDate with the Now operator.
  • format - any valid date and time pattern String accepted by Java’s SimpleDateFormat.
  • timeZone - a String, such as "America/Los Angeles" or "Europe/London"

Examples

Date format YYYY-MM-dd

Use the following query to return results for the current date using the date format YYYY-MM-dd.

* | formatDate(now(), "YYYY-MM-dd") as today

This creates the today column, and returns the following results.

FormatDate

European date format dd-MM-yyyy

Use the following query to create a today column, and return the results using the European date format of day, month, year, dd-MM-yyyy.

* | formatDate(now(),"dd-MM-yyyy") as today

This returns the following results:

EuropeanDateFormat

US date format with a timestamp

This example creates a today column and uses the US date format with a timestamp, MM-dd-yyyy HH:mm.

* | formatDate(now(), "MM-dd-yyyy HH:mm", "America/New_York") as today

Which returns results like:

DateTimestamp

Find messages with incorrect timestamps

This query allows you to find messages with incorrect timestamps.

* | formatDate(_receipttime, "MM/dd/yyyy HH:mm:ss:SSS") as receiptDate
| formatDate(_messageTime, "MM/dd/yyyy HH:mm:ss:SSS") as messageDate
| _receiptTime - _messageTime as delay
| delay / 60000 as delayInMinutes

This query produces results like this:

Incorrect Timestamp

How old are your messages?

This query lets you determine the age of your log messages.

* | formatDate(_messageTime, "MM/dd/yyyy HH:mm:ss:SSS") as messageDate
| formatDate(now(), "MM/dd/yyyy HH:mm:ss:SSS") as today
| now() as currentTime
| currentTime - _messageTime as messageAge
| messageAge / (60*1000) as messageAgeInMinutes

Which produces results like this:

Message age