Re: Creating a custom date field

ebruozys · ‎02-13-2018

Hi,

Is there a way to create a custom date field in Splunk?

Sow lets say I have multiple events, all of these events have a date field CREATIONDATE. Now I want to create a new date field for events that have the action called "Validation" in them. And I would like to call this new date field VALIDATIONDATE.

I'm thinking this should be possible with the 'where' command, but I'm not certain how to use it.

493669 · ‎02-14-2018

you can try like this:

index=indexname action="Validation"|eval VALIDATIONDATE=now()|eval VALIDATIONDATE=strftime(VALIDATIONDATE,"%d/%m/%Y %H:%M:%S")

here search for action="Validation" then create new field VALIDATIONDATE using eval function and assign it the value like here it will assign current time .

Richfez · ‎02-14-2018

What should the new date field's contents be? A copy of CREATIONDATE?

... | eval VALIDATIONDATE=CREATIONDATE

The current time?
... | eval VALIDATIONDATE=now()

Some other date relative to CREATIONDATE?
... | eval VALIDATIONDATE=relative_time(CREATIONDATE, "-1w")

If instead you are trying to create a new extraction to create this date out of some "validation date" that's inside an event, please post one of the events in question and we can totally help you with this!

ebruozys · ‎02-14-2018

The validation date is indeed a copy of the creationdate, but as I mentioned above it should only be created when its combined with the event action "Validation"

Creating a custom date field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation