topic Re: eval to handle 2 scenarios in Splunk Search

eval to handle 2 scenarios

Raj_Splunk_Ing — Tue, 03 Jun 2025 13:04:17 GMT

Hi, I have this field in this format and i am using eval to convert but sometimes there is an extra space in it

after :

Mon 2 Jun 2025 20:51:24 : 792 EDT - with extra space after hhmmss (space before 792)

Mon 2 Jun 2025 20:51:24 :792 EDT - this is another scenario where there will be no space

i have to get 2 scenarios in this eval - any help
| eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y")

Re: eval to handle 2 scenarios

Raj_Splunk_Ing — Tue, 03 Jun 2025 13:17:04 GMT

tried trim(field) but it not help

Re: eval to handle 2 scenarios

sainag_splunk — Tue, 03 Jun 2025 13:20:48 GMT

@Raj_Splunk_Ing try

| eval date_only=strftime(strptime(replace(ClintReqRcvdTime, "\s+", " "), "%a %d %b %Y %H:%M:%S :%N EDT"), "%m/%d/%Y")

Re: eval to handle 2 scenarios

Raj_Splunk_Ing — Tue, 03 Jun 2025 13:30:29 GMT

Hi, Sai, sometimes i dont get the extra space so i have to cover 2 scenarios

will this only work when there is an extra space or it should take care of it when there is no extra space also

as we are specifying the extra space in the format and removing

Re: eval to handle 2 scenarios

richgalloway — Tue, 03 Jun 2025 14:02:52 GMT

Try using sed to normalize the data before conversion.

| rex mode=sed field=ClintReqRcvdTime "s/: /:/" | eval date_only=strftime(strptime(ClintReqRcvdTime, "%a %d %b %Y %H:%M:%S :%3N %Z"), "%m/%d/%Y")

Re: eval to handle 2 scenarios

Raj_Splunk_Ing — Tue, 03 Jun 2025 14:21:51 GMT

hi Rich, is reg much better than replace.. in my case looks like replace is working

Re: eval to handle 2 scenarios

Raj_Splunk_Ing — Tue, 03 Jun 2025 14:41:00 GMT

Rich, this is working too; it will cover both scenarios right? when there is no extra space in it?

Re: eval to handle 2 scenarios

richgalloway — Tue, 03 Jun 2025 15:21:29 GMT

Yes, this covers both cases. If the extra space is not present then sed does nothing.