I'm trying to use a lookup table to get the # of days in the current month (I was told at .conf2012 that is the only way to do it). If there is an operator to return this (similar to date_mday) that would be fantastic, but if not....
I was told that the date_month field returned a numeric value for the month (i.e. September = 9) but it does not, it returns a string like "september".
Is there a numeric alternative to this operator where it would return 09 or 9?
It would be better to use
| eval month=strftime(_time,"%m")
even if date_month exists
btw, a lookup is not the only way. you can use a case()
function in the eval
search command, and while it's a long expression, you can make that expression into a macro.
It would be better to use
| eval month=strftime(_time,"%m")
even if date_month exists
correct. it is a bad idea to use the date_* fields because:
therefore, as lguinn says, it's a lot better to derive it from _time
.
but all that said, it's possible to make a lookup table to map from the english name ("september") to the number of days if you really insisted on using date_month (or used month_text=strftime(_time,"%b")
yes, use a convertion of _time field.
mysearch | convert timeformat="%m" ctime(_time) AS date_month_numeric | table _time date_month date_month_numeric
see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/convert
in general, if an eval
function exists, it is preferred over a standalone search command, eg., strftime()
or strptime()
is slightly better than convert
, case()
is better than rangemap
etc.