Good morning!
I have a field for a year and a field for a month. Can I join these two together to create a date that I can then make a timechart based off of. I have a lot of machines I'm tracking an OS version for and want to display a chart mapping machines to dates. We have a custom format of operating system being '201804.1' for example and I've extracted 2018 as a year and 04 as a month and want to create a a visual based off of that.
I appreciate any help!
Yes, it is very easy but you also need to convert to time_t
(AKA epoch
) integer so it would look like this
... | eval _time = <YourYearFieldHere> . "/" . <YourMonthFieldHere>
| eval _time strptime(_time, "%Y/%m")
| timechart ...
Hi @jkordis,
You can use the strptime
command :
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/DateandTimeFunctions#strptime
... | eval n=strptime(yearField."-".monthField, "%Y-%m")
Or you can use strftime
command right away without any extractions on 201804.1.
Cheers,
David
Yes, its possible.
All you need to do it create a new field that the combination of your year and month field.
Syntax - eval date_combine = year."-".month ( "-" is used as a delimiter.)
You can then use the new field in your chart.
Below is an example with the internal index
index=_internal | eval date_combine= date_hour."-".date_year | timechart count by date_combine