Join a year and month to create a date

jkordis · ‎08-19-2019

Good morning!

I have a field for a year and a field for a month. Can I join these two together to create a date that I can then make a timechart based off of. I have a lot of machines I'm tracking an OS version for and want to display a chart mapping machines to dates. We have a custom format of operating system being '201804.1' for example and I've extracted 2018 as a year and 04 as a month and want to create a a visual based off of that.

I appreciate any help!

woodcock · ‎08-19-2019

Yes, it is very easy but you also need to convert to time_t (AKA epoch) integer so it would look like this

... | eval _time = <YourYearFieldHere> . "/" . <YourMonthFieldHere>
| eval _time strptime(_time, "%Y/%m")
| timechart ...

DavidHourani · ‎08-19-2019

Hi @jkordis,

You can use the strptime command :
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/DateandTimeFunctions#strptime

... | eval n=strptime(yearField."-".monthField, "%Y-%m")

Or you can use strftime command right away without any extractions on 201804.1.

Cheers,
David

chinmoya · ‎08-19-2019

Yes, its possible.

All you need to do it create a new field that the combination of your year and month field.
Syntax - eval date_combine = year."-".month ( "-" is used as a delimiter.)
You can then use the new field in your chart.

Below is an example with the internal index
index=_internal | eval date_combine= date_hour."-".date_year | timechart count by date_combine

Join a year and month to create a date

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!