topic Re: How To Concatenate String For Calculated Field? in Splunk Search

How To Concatenate String For Calculated Field?

vtsguerrero — Mon, 28 Sep 2020 19:24:24 GMT

Hello everybody, sup?

I need a little help for this, I have fields separated for a datetime, for example:

day_ini = 22;
mon_ini = 03;
year_ini = 2014;
hour_ini = 14;
minute_ini = 19;
second_ini = 03.

I know we can eval them like this:

eval datetime=strftime(strptime((YEAR_INI+""+MONTH_INI+""+DAY_INI+"."+""+HOUR_INI+""+MINUTE_INI),"%Y%m%d.%H%M"),"%Y-%m-%d %T")

In the search query it works perfectly, but when I put this for a calculated field, it doesn't concatenate, so the field is not created.
Is there another way I can create this calculated field using this strftime and strptime function together?

Thanks in advance!

Re: How To Concatenate String For Calculated Field?

vtsguerrero — Thu, 02 Apr 2015 17:22:15 GMT

Just forgot to say, this will be a datetime generated from several string fields, this is why I need those functions, and this calculated field should join the strings and convert'em to a datetime...

Re: How To Concatenate String For Calculated Field?

aljohnson_splun — Thu, 02 Apr 2015 18:24:13 GMT

Can you try the . concatenator and see if it changes anything ?

Re: How To Concatenate String For Calculated Field?

vtsguerrero — Thu, 02 Apr 2015 18:30:37 GMT

Still didn't work for the calculated field...

Re: How To Concatenate String For Calculated Field?

masonmorales — Thu, 02 Apr 2015 19:07:59 GMT

What happens if you do something like:

| eval datetime=strftime(strptime(tostring(YEAR_INI)+tostring(MONTH_INI)+tostring(DAY_INI)+"."+tostring(HOUR_INI)+tostring(MINUTE_INI),"%Y%m%d.%H%M"),"%Y-%m-%d %T")

Re: How To Concatenate String For Calculated Field?

somesoni2 — Thu, 02 Apr 2015 19:08:06 GMT

I tried something like this and worked fine for me (I was able to see the new field)

strftime(strptime((YEAR_INI.MONTH_INI.DAY_INI.".".HOUR_INI.MINUTE_INI),"%Y%m%d.%H%M"),"%Y-%m-%d %T")

Re: How To Concatenate String For Calculated Field?

vtsguerrero — Mon, 06 Apr 2015 12:54:41 GMT

Hello, I'm not sure if calculated fields might accept two functions at once, because, I tried both ways and still can't see the new field in search even though I'm sure they fit the same sourcetype:

DATETIME_TEST01 strftime(strptime((ANO_INI_PV.MES_INI_PV.DIA_INI_PV.".".HORA_INI_PV.MINUTO_INI_PV),"%Y%m%d.%H%M"),"%Y-%m-%d %T")

DATETIME_TEST02 strftime(strptime(tostring(ANO_INI_PV)+tostring(MES_INI_PV)+tostring(DIA_INI_PV)+"."+tostring(HORA_INI_PV)+tostring(MINUTO_INI_PV),"%Y%m%d.%H%M"),"%Y-%m-%d %T")

Both still didn't work, I dunno what's happening...

Re: How To Concatenate String For Calculated Field?

vtsguerrero — Mon, 06 Apr 2015 13:46:05 GMT

Put the exact same way in Calculated Fields, still didn't create the new field... The strange thing is that, if I put the values hard code instead of variables ( MINUTE_INI, ETC ) it works, but if I need to concatenate these, they don't work...