Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix date format to extracted eval field?

pp3295
Explorer
‎08-10-2022 02:18 AM 
index="indnewwrapper" | search rfq_id:
| join [ search index="indnewwrapper" | search rfq_id:
| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00:00.000") ]
| eval validateEmailMessagecomplete1=strftime(strftime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S")
| table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1

I am finding a string in a search and extracting a validateEmailMessagecomplete date. using like function.

i am getting desired output but i am not able to change to datetime format validateEmailMessagecomplete1 it shows blank value

pp3295_0-1660123000436.png

i searched various post on the forum. but did not found desired solution.

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pp3295
Explorer
‎08-10-2022 04:48 AM

thanks bhai ( bro ), its working. showing values

pp3295_0-1660132013776.png

I am new to splunk, learning from this forum and youtube. do you know any good channels for splunk learning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 03:02 AM

checked by your way. still now luck. But thanks for your support.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 03:09 AM

Epoch dates run from 1970 not 1900 - try this

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1970-01-01 00:00:00.000")

Having said that, what is it you are trying to achieve with the join command? Perhaps there is another way to approach it

0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 03:18 AM

pp3295_0-1660126678795.png

index="indnewwrapper" | search rfq_id:
| join [ search index="indnewwrapper" | search rfq_id:
| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1980-01-01 12:00:00.000") ]
| eval validateEmailMessagecomplete1=strptime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z")
| table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 03:35 AM

OK, assuming the sent_date matches the format string you are using, the string you are using if validateEmailMessage doesn't exist in _raw should match this format. Try it this way

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"Thursday January 01 1970 01:00:00 AM BST") ]
0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 04:06 AM

thanks for your reply. i think problem is

pp3295_0-1660129519953.png

when i individually use table sent_date , i found blank rows. because of this solution is not working. can we omit blank rows .

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 04:43 AM

OK The time formats have to match the format being used.

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1970-01-01 00:00:00.000") ]
| eval validateEmailMessagecomplete1=strptime(validateEmailMessagecomplete,"%Y-%m-%d %H:%M:%S.%3N")
0 Karma
Reply
Solved! Jump to solution
Solution

pp3295
Explorer
‎08-10-2022 04:48 AM

thanks bhai ( bro ), its working. showing values

pp3295_0-1660132013776.png

I am new to splunk, learning from this forum and youtube. do you know any good channels for splunk learning.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 04:58 AM

Hard to say what is good - it depends on your learning style - there are tutorials, and courses, there are presentations from .conf and BSides, there are example dashboards and other apps in splunkbase, and then there's just trying stuff out in a sandbox environment just to see what it does.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 02:57 AM

You are using strftime twice, you need to use strptime for the inner function to parse the string into an epoch time before formatting it

| eval validateEmailMessagecomplete1=strftime(strptime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top