Dashboards & Visualizations

How to Extract the day from the Day from the DATE in splunk

aditsss
Motivator

Hi Everyone,

I have one field called  BuildStartDate. Its showing Dates like below:

Mon Jan 11 09:00:13 MST 2021

Sun Jan 10 09:00:01 MST 2021

 

I want only  to Display BuildStartDate in following Format

Mon Jan 11 2021

Sun Jan 10 2021

Can someone guide me how can I do that.

Thanks in advance

Labels (3)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

There was a typo in my query, there shouldn't be space after field= 

Please try below;

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*") 
| eval TimeTaken=round('BuildDuration'/1000) 
| fieldformat TimeTaken = tostring(TimeTaken, "duration") 
| rex mode=sed field=BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g" 
| table ORG BuildResult BuildStartDate TimeTaken 
| where ORG="gcp"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

There was a typo in my query, there shouldn't be space after field= 

Please try below;

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*") 
| eval TimeTaken=round('BuildDuration'/1000) 
| fieldformat TimeTaken = tostring(TimeTaken, "duration") 
| rex mode=sed field=BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g" 
| table ORG BuildResult BuildStartDate TimeTaken 
| where ORG="gcp"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @aditsss,

You can use below query;

| rex mode=sed field= BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

aditsss
Motivator

@scelikok 

I tried like that but getting error in rex.

Can you guide me where I am wrong:

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*")|eval TimeTaken=round('BuildDuration'/1000) | fieldformat TimeTaken = tostring(TimeTaken, "duration")| rex mode=sed field= BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g"|table ORG BuildResult BuildStartDate TimeTaken| where ORG="gcp"

Getting below Error:

Error in 'rex' command: Failed to initialize sed. cannot find sed command: B

Can you guide me where I am wrong.

Thanks in advance

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...