Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract Date from Day format

aditsss
Motivator
‎01-23-2021 04:48 AM

Hi All,

I have one field Rundatetime which is in below format:

10/25/2020 3:57

10/16/2020 5:22

I just want to extract Date from it as below:

10/25/2020

10/16/2020

How can I do that. Can someone guide me

My current query is this:

| inputlookup mnr_rally_defects2.csv| table Rundatetime 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2021 09:34 AM

Hi @aditsss,

for this reason I hinted to use rex instead substr!

Try again with my rex hint.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2021 07:32 AM

Hi @aditsss,

you can use the solution of @termcap, that surely works, or the following regex:

 

| rex field=Rundatetime "^(?<date>[^ ]+)"

 

Ciao.

Giuseppe 

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-23-2021 09:31 AM

@gcusello 

I am not getting all the dates correct :

1/8/2021 3:
1/9/2021 3:
10/16/2020
10/17/2020
10/20/2020
10/25/2020
10/27/2020
11/14/2020
11/17/2020
11/18/2020
12/2/2020 3
12/24/2020
12/30/2020

 

Getting some values like below.

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2021 09:34 AM

Hi @aditsss,

for this reason I hinted to use rex instead substr!

Try again with my rex hint.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

aditsss
Motivator
‎01-23-2021 09:40 AM

@gcusello 

I used like  this:

 

| inputlookup mnr_rally_defects1.csv| rex field=rundatetime "?(?<date>[^ ]+)"| table date

getting below error:

Error in 'rex' command: Encountered the following error while compiling the regex '?(?<date>[^ ]+)': Regex: quantifier does not follow a repeatable item.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2021 09:46 AM

Hi @aditsss,

sorry!

there was a typing error, please try this:

| rex field=Rundatetime "^(?<date>[^ ]+)"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

termcap
Path Finder
‎01-23-2021 05:25 AM

 

| inputlookup mnr_rally_defects2.csv| eval date_today=substr(Rundatetime ,1,11)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...