https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221094#M98883 <P>Try this</P> <P><STRONG><EM>UPDATED TO SHOW MONTH</EM></STRONG>*</P> <PRE><CODE>| rex field=x mode=sed "s/(?&lt;dt&gt;\w{3,4}\s\d\d?)([snrt][hd]),\s?(?&lt;yr&gt;\d{4})/\1, \3/g" | eval y=strptime(x,"%B %-d, %Y") | eval date=strftime(y, "%Y-%m") </CODE></PRE> Wed, 10 Aug 2016 13:03:52 GMT sundareshr 2016-08-10T13:03:52Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221093#M98882 <P>In splunk, I have a file which has date in the format June 16th,2014 and I am trying to extract out the month_year variable in the format 2014-06.</P> <P>Any help will be appreciated.</P> <P>TIA</P> Wed, 10 Aug 2016 04:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221093#M98882 singhnitin 2016-08-10T04:09:12Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221094#M98883 <P>Try this</P> <P><STRONG><EM>UPDATED TO SHOW MONTH</EM></STRONG>*</P> <PRE><CODE>| rex field=x mode=sed "s/(?&lt;dt&gt;\w{3,4}\s\d\d?)([snrt][hd]),\s?(?&lt;yr&gt;\d{4})/\1, \3/g" | eval y=strptime(x,"%B %-d, %Y") | eval date=strftime(y, "%Y-%m") </CODE></PRE> Wed, 10 Aug 2016 13:03:52 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221094#M98883 sundareshr 2016-08-10T13:03:52Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221095#M98884 <PRE><CODE>rex field=_raw "(?&lt;month&gt;\w+)\s\d+\w\w,(?&lt;year&gt;\d\d\d\d)" | eval MON=case(month == "Nov", "11", month == "July", "7", month == "June", "6", month == "Aug", "8") | eval date=year."-".MON | table date MON, year _raw </CODE></PRE> <P>it gives this output - </P> <PRE><CODE>date MON year _raw 2014-11 11 2014 the format Nov 10th,2014 and extract out the month_year in the format 2014-06. 2014-8 8 2014 the format Aug 6th,2014 and extract out the month_year in the format 2014-06. 2014-7 7 2014 the format July 1st,2014 and extract out the month_year in the format 2014-06. 2014-6 6 2014 the format June 16th,2014 and extract out the month_year in the format 2014-06. </CODE></PRE> Wed, 10 Aug 2016 13:44:17 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221095#M98884 inventsekar 2016-08-10T13:44:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221096#M98885 <P>Sir, i am trying this one.. but its not working. also may i know, what this one does - ([snrt][hd]) please</P> <P>sourcetype=monthyear | rex field=_raw mode=sed "s/(?<DL><DT>\w{3,4}\s\d\d?)([snrt][hd]),\s?(?\d{4})/\1, \3/g" | table dt yr _raw</DT></DL></P> <P></P> Wed, 10 Aug 2016 16:15:47 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221096#M98885 inventsekar 2016-08-10T16:15:47Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221097#M98886 <P>Try like this (run anywhere sample)</P> <PRE><CODE>| gentimes start=-1 | eval date="June 16th,2014" | table date| eval date_month=strftime(strptime(replace(date,"(\w+)([^,]+),(\d+)","1 \1 \3"),"%d %B %Y"),"%Y-%m") </CODE></PRE> Wed, 10 Aug 2016 16:58:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221097#M98886 somesoni2 2016-08-10T16:58:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221098#M98887 <P>Since you date can have st, nd, rd, th after the date, ([snrt][hd]) in the <CODE>rex</CODE> command is to remove those chars to it can be formatted into a epoch time.</P> <P>The <CODE>rex</CODE> command assume you have the date extracted into a field called <CODE>x</CODE>. if you don't have the date extracted, remove the <CODE>field=x</CODE> and try it. Like this</P> <PRE><CODE>| rex mode=sed "s/(?&lt;dt&gt;\w{3,4}\s\d\d?)([snrt][hd]),\s?(?&lt;yr&gt;\d{4})/\1, \3/g" | eval y=strptime(x,"%B %-d, %Y") | eval date=strftime(y, "%Y-%m") </CODE></PRE> Wed, 10 Aug 2016 17:25:21 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-date-time-format/m-p/221098#M98887 sundareshr 2016-08-10T17:25:21Z