Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix date format to extracted eval field?

pp3295
Explorer
‎08-10-2022 02:18 AM 
index="indnewwrapper" | search rfq_id:
| join [ search index="indnewwrapper" | search rfq_id:
| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1900-01-01 12:00:00.000") ]
| eval validateEmailMessagecomplete1=strftime(strftime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S")
| table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1

I am finding a string in a search and extracting a validateEmailMessagecomplete date. using like function.

i am getting desired output but i am not able to change to datetime format validateEmailMessagecomplete1 it shows blank value

pp3295_0-1660123000436.png

i searched various post on the forum. but did not found desired solution.

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pp3295
Explorer
‎08-10-2022 04:48 AM

thanks bhai ( bro ), its working. showing values

pp3295_0-1660132013776.png

I am new to splunk, learning from this forum and youtube. do you know any good channels for splunk learning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 03:02 AM

checked by your way. still now luck. But thanks for your support.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 03:09 AM

Epoch dates run from 1970 not 1900 - try this

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1970-01-01 00:00:00.000")

Having said that, what is it you are trying to achieve with the join command? Perhaps there is another way to approach it

0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 03:18 AM

pp3295_0-1660126678795.png

index="indnewwrapper" | search rfq_id:
| join [ search index="indnewwrapper" | search rfq_id:
| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1980-01-01 12:00:00.000") ]
| eval validateEmailMessagecomplete1=strptime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z")
| table pRFQ_Id,validateEmailMessagecomplete,validateEmailMessagecomplete1

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 03:35 AM

OK, assuming the sent_date matches the format string you are using, the string you are using if validateEmailMessage doesn't exist in _raw should match this format. Try it this way

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"Thursday January 01 1970 01:00:00 AM BST") ]
0 Karma
Reply
Solved! Jump to solution

pp3295
Explorer
‎08-10-2022 04:06 AM

thanks for your reply. i think problem is

pp3295_0-1660129519953.png

when i individually use table sent_date , i found blank rows. because of this solution is not working. can we omit blank rows .

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 04:43 AM

OK The time formats have to match the format being used.

| eval validateEmailMessagecomplete=if(like(_raw,"%validateEmailMessage()%"), sent_date,"1970-01-01 00:00:00.000") ]
| eval validateEmailMessagecomplete1=strptime(validateEmailMessagecomplete,"%Y-%m-%d %H:%M:%S.%3N")
0 Karma
Reply
Solved! Jump to solution
Solution

pp3295
Explorer
‎08-10-2022 04:48 AM

thanks bhai ( bro ), its working. showing values

pp3295_0-1660132013776.png

I am new to splunk, learning from this forum and youtube. do you know any good channels for splunk learning.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 04:58 AM

Hard to say what is good - it depends on your learning style - there are tutorials, and courses, there are presentations from .conf and BSides, there are example dashboards and other apps in splunkbase, and then there's just trying stuff out in a sandbox environment just to see what it does.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 02:57 AM

You are using strftime twice, you need to use strptime for the inner function to parse the string into an epoch time before formatting it

| eval validateEmailMessagecomplete1=strftime(strptime(validateEmailMessagecomplete,"%A %B %d %Y %I:%M:%S %p %Z"),"%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...