Solved: How to convert all fields that have "Date" in the ...

nfieglein · ‎11-03-2014

Hi,
I have a number of date fields in a JSON message. I would like to be able to use standard date comparison functions on those fields, but I have to convert them to date fields first. Is there a mechanism to convert all fields which have Date in the name?

Thanks

somesoni2 · ‎11-05-2014

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

View solution in original post

nfieglein · ‎11-06-2014

The following from somesoni2 works perfectly! Thanks somesoni2!

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2 · ‎11-05-2014

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2 · ‎11-03-2014

You're looking for a search time option or some automatic option (in props/transforms conf files)?

nfieglein · ‎11-05-2014

I would be fine with a search time option, but I would like to be able to add a correspnding epoch time field for every date value that I have, including multivalue fields.

How to convert all fields that have "Date" in the name to a standard date format from JSON message data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!