https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365458#M107777 <P>I have a python program that's generating logs with the following format START_DATE=08-AUG-2017</P> <P>the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that? </P> Thu, 10 Aug 2017 14:25:11 GMT AJNZAZ 2017-08-10T14:25:11Z https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365458#M107777 <P>I have a python program that's generating logs with the following format START_DATE=08-AUG-2017</P> <P>the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that? </P> Thu, 10 Aug 2017 14:25:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365458#M107777 AJNZAZ 2017-08-10T14:25:11Z https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365459#M107778 <P>This documentation speaks to the convert command:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert</A></P> <P>Example: index="indexname" sourcetype="Sourcetype" Search condition | convert auto(Date) | stats count by Date</P> <P>If that does not help look at the strptime() function:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions</A></P> <P>Example: index="indexname" sourcetype="Sourcetype" Search condition | eval date_time = strptime(Date, "%H:%M") | stats count by date_time</P> <P>IF the issue your facing is with rex, look at the second link abo e for pattern options. Before you get into testing the strptime, you should confirm that your rex works.</P> Tue, 29 Sep 2020 15:19:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365459#M107778 mhouse3 2020-09-29T15:19:48Z https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365460#M107779 <P>At extract time, that is on this page - <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition">https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition</A></P> <P>The entries would look something like this...</P> <PRE><CODE>[your source type or source or whatever] TIME_PREFIX = START_DATE= TIME_FORMAT = %d-%b-%Y TZ = whatever time zone your data is coming from </CODE></PRE> <P>And if you also want the value stored as an epoch date in the START_DATE field as well, you could have a transform to do that... discussed here - <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction">http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction</A></P> <P>That might look something like this...</P> <PRE><CODE>[&lt;unique_transform_stanza_name&gt;] REGEX = . FORMAT = START_DATE::$1 DEST_KEY = START_DATE SOURCE_KEY = _time </CODE></PRE> Thu, 10 Aug 2017 16:13:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Convert-string-to-date-field-for-field-extraction/m-p/365460#M107779 DalJeanis 2017-08-10T16:13:15Z