Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk date time format
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
singhnitin
New Member
08-09-2016
09:09 PM
In splunk, I have a file which has date in the format June 16th,2014 and I am trying to extract out the month_year variable in the format 2014-06.
Any help will be appreciated.
TIA
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-10-2016
09:58 AM
Try like this (run anywhere sample)
| gentimes start=-1 | eval date="June 16th,2014" | table date| eval date_month=strftime(strptime(replace(date,"(\w+)([^,]+),(\d+)","1 \1 \3"),"%d %B %Y"),"%Y-%m")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-10-2016
09:58 AM
Try like this (run anywhere sample)
| gentimes start=-1 | eval date="June 16th,2014" | table date| eval date_month=strftime(strptime(replace(date,"(\w+)([^,]+),(\d+)","1 \1 \3"),"%d %B %Y"),"%Y-%m")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
08-10-2016
06:44 AM
rex field=_raw "(?<month>\w+)\s\d+\w\w,(?<year>\d\d\d\d)" | eval MON=case(month == "Nov", "11", month == "July", "7", month == "June", "6", month == "Aug", "8") | eval date=year."-".MON | table date MON, year _raw
it gives this output -
date MON year _raw
2014-11 11 2014 the format Nov 10th,2014 and extract out the month_year in the format 2014-06.
2014-8 8 2014 the format Aug 6th,2014 and extract out the month_year in the format 2014-06.
2014-7 7 2014 the format July 1st,2014 and extract out the month_year in the format 2014-06.
2014-6 6 2014 the format June 16th,2014 and extract out the month_year in the format 2014-06.
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-10-2016
06:03 AM
Try this
UPDATED TO SHOW MONTH*
| rex field=x mode=sed "s/(?<dt>\w{3,4}\s\d\d?)([snrt][hd]),\s?(?<yr>\d{4})/\1, \3/g" | eval y=strptime(x,"%B %-d, %Y") | eval date=strftime(y, "%Y-%m")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
08-10-2016
09:15 AM
Sir, i am trying this one.. but its not working. also may i know, what this one does - ([snrt][hd]) please
sourcetype=monthyear | rex field=_raw mode=sed "s/(?
- \w{3,4}\s\d\d?)([snrt][hd]),\s?(?\d{4})/\1, \3/g" | table dt yr _raw
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-10-2016
10:25 AM
Since you date can have st, nd, rd, th after the date, ([snrt][hd]) in the rex command is to remove those chars to it can be formatted into a epoch time.
The rex command assume you have the date extracted into a field called x. if you don't have the date extracted, remove the field=x and try it. Like this
| rex mode=sed "s/(?<dt>\w{3,4}\s\d\d?)([snrt][hd]),\s?(?<yr>\d{4})/\1, \3/g" | eval y=strptime(x,"%B %-d, %Y") | eval date=strftime(y, "%Y-%m")
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
