Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I change a field to a date field?

maria2691
Path Finder
‎02-09-2018 11:43 AM

Hello Everyone

I have a field Month which has values like April 2017, May 2018,...
I am calculating with these using a stats command and I would like to sort by the Months in descending order.
When I use the sort command the values are sorted by Alphabetical order.
Hence I used strftime to convert the field into a date field, however I do not get any result.
Please find the query I have used below and help me with the corrections!

    source=*
    | fillnull value=0 "Budget Overrun percentage" 
    | eval Month=SUBSTR('Month',4, 15) 
    | eval "Budget Overrun percentage"= SUBSTR('Budget Overrun percentage', 1,1) 
    | stats values("Budget Overrun percentage") by Month 
    | sort by Month

Thanks
Maria Arokiaraj

Tags (2)
0 Karma
Reply

micahkemp
Champion
‎02-09-2018 07:43 PM

Can you include what Month looks like prior to your changing it with substr?

0 Karma
Reply

maria2691
Path Finder
‎02-09-2018 07:28 PM

Hello @elliotproebstel

This does not seem to be working 😞
Not getting any results when using these commands.

0 Karma
Reply

493669
Super Champion
‎02-09-2018 07:44 PM

when you try below what output you are receiving? d

source=* | fillnull value=0 "Budget Overrun percentage"
0 Karma
Reply

elliotproebstel
Champion
‎02-09-2018 12:24 PM

By line 5, if Month contains values like "April 2017", "May 2018", etc., then the following should work to replace line 6:

| eval parsable_date="01 ".Month
| eval sort_date=strptime(parsable_date, "%d %B %Y")
| sort sort_date

And if you don't like seeing those extra fields there, you could remove them by adding this to the end:

| fields - sort_date parsable_date

Basically, I create parsable_date because I don't think strptime can create an epoch date string for a date that doesn't have a day specified.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...

What's New in Splunk Observability - November 2025

What's New We’re excited to announce the latest enhancements to Splunk Observability Cloud and ...

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...