Skip to main content
Sumo Logic

formatDate

The formatDate operator allows you to format dates in log files as a string in the format you require, such as US date formatting, European formatting, timestamps, etc. 

It works in three modes:

  1. formatDate(_messagetime) produces a string output with a default US-style date format in the local timezone of the user.
  2. formatDate(_messagetime, someFormat) produces a string output with the designated date format in the local timezone of the user.
  3. formatDate(_messagetime, someFormat, someTimezone) produces a string output with the designated format in the designated timezone.

Syntax:

  • formatDate(date, formatString)

Rules:

You can also use formatDate with the Now operator.

Examples

Date format YYYY-MM-dd.

Use the following query to return results for the current date using the date format YYYY-MM-dd.

* | formatDate(now(), "YYYY-MM-dd") as today

This creates the today column, and returns the following results.

European date format dd-MM-yyyy.

Use the following query to create a today column, and return the results using the European date format of day, month, year, dd-MM-yyyy.

* | formatDate(now(), "dd-MM-yyyy") as today

This returns the following results:

US date format with a timestamp.

This example creates a today column and uses the US date format with a timestamp, MM-dd-yyyy HH:mm.

* | formatDate(now(), "MM-dd-yyyy HH:mm", "America/New_York") as today

Which returns results like:

 

Find messages with incorrect timestamps.

This query allows you to find messages with incorrect timestamps.

* | formatDate(_receipttime, "MM/dd/yyyy HH:mm:ss:SSS") as receiptDate
| formatDate(_messageTime, "MM/dd/yyyy HH:mm:ss:SSS") as messageDate
| _receiptTime - _messageTime as delay
| delay / 60000 as delayInMinutes

This query produces results like this:

How old are your messages?

This query lets you determine the age of your log messages.

* | formatDate(_messageTime, "MM/dd/yyyy HH:mm:ss:SSS") as messageDate
| formatDate(now(), "MM/dd/yyyy HH:mm:ss:SSS") as today
| now() as currentTime
​| currentTime - _messageTime as messageAge
| messageAge / (60*1000) as messageAgeInMinutes

Which produces results like this: