https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469249#M192029 <P>@prot3ctor ,</P> <P>Try</P> <PRE><CODE>"Your search with fields dob,data" |eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d") |rex field=data "(?&lt;_f&gt;.)"|eval newString=replace(data,"^.",_f.newString) </CODE></PRE> Thu, 24 Oct 2019 16:22:21 GMT renjith_nair 2019-10-24T16:22:21Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469248#M192028 <P>Hello. </P> <P>Could anyone help me out?<BR /> I have a DoB string with the following format dob='2002-01-03' <BR /> I would like to format this string to look like this: 020103</P> <P>And then i would like to insert this data into an other sting after the 1st number which looks like this: data='1384198'</P> <P>So in the end i would get data2='1020103384198'</P> <P>Thank you </P> Thu, 24 Oct 2019 15:11:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469248#M192028 prot3ctor 2019-10-24T15:11:58Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469249#M192029 <P>@prot3ctor ,</P> <P>Try</P> <PRE><CODE>"Your search with fields dob,data" |eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d") |rex field=data "(?&lt;_f&gt;.)"|eval newString=replace(data,"^.",_f.newString) </CODE></PRE> Thu, 24 Oct 2019 16:22:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469249#M192029 renjith_nair 2019-10-24T16:22:21Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469250#M192030 <P>Will try. Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 31 Oct 2019 14:32:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469250#M192030 prot3ctor 2019-10-31T14:32:05Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469251#M192031 <P>Hi. So this only puts the 2 strings next to each other. Is there a way to insert 1 string after the 1st character of the 2nd string?<BR /> Example: <BR /> dob=861010<BR /> ssn=123456</P> <P>So in the end i would get a value what looks like this: 186101023456</P> <P>Thanks</P> Sun, 17 Nov 2019 17:14:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469251#M192031 prot3ctor 2019-11-17T17:14:47Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469252#M192032 <P>Like this:</P> <PRE><CODE>| makeresults | eval dob="2002-01-03", data="1384198" | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | eval data2 = substr(data, 1, 1). replace(dob, "^..|-", "") . substr(data, 2) </CODE></PRE> Sun, 17 Nov 2019 22:25:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469252#M192032 woodcock 2019-11-17T22:25:45Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469253#M192033 <P>@prot3ctor ,</P> <P>This is what I tried with the strings you provided</P> <PRE><CODE>|makeresults|eval dob="2002-01-03",data="1384198" |eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d") |rex field=data "(?&lt;_f&gt;.)"|eval newString=replace(data,"^.",_f.newString) </CODE></PRE> <P>and the result is <CODE>1020103384198</CODE></P> <P>dob="2002-01-03" =&gt; 020103<BR /> date = 1384198<BR /> Result = 1 020103 384198</P> Mon, 18 Nov 2019 04:46:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469253#M192033 renjith_nair 2019-11-18T04:46:41Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469254#M192034 <P>It wasnt working for me at 1st cause i had to strip the single quotes from data first. Then i managed to get it to work</P> <P>Thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 18 Nov 2019 21:54:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469254#M192034 prot3ctor 2019-11-18T21:54:35Z https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469255#M192035 <P>It wasnt working for me at 1st cause i had to strip the single quotes from data first. Then i managed to get it to work</P> <P>Thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 18 Nov 2019 21:55:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-format-and-then-insert-combine-them/m-p/469255#M192035 prot3ctor 2019-11-18T21:55:54Z