Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Convert string to date field for field extraction

AJNZAZ
Explorer
‎08-10-2017 07:25 AM

I have a python program that's generating logs with the following format START_DATE=08-AUG-2017

the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that?

Reply

DalJeanis
Legend
‎08-10-2017 09:13 AM

At extract time, that is on this page - https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition

The entries would look something like this...

[your source type or source or whatever]
TIME_PREFIX =  START_DATE=
TIME_FORMAT = %d-%b-%Y
TZ = whatever time zone your data is coming from

And if you also want the value stored as an epoch date in the START_DATE field as well, you could have a transform to do that... discussed here - http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction

That might look something like this...

[<unique_transform_stanza_name>]
REGEX = .
FORMAT = START_DATE::$1
DEST_KEY = START_DATE
SOURCE_KEY = _time
0 Karma
Reply

mhouse3
Path Finder
‎08-10-2017 09:08 AM

This documentation speaks to the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert

Example: index="indexname" sourcetype="Sourcetype" Search condition | convert auto(Date) | stats count by Date

If that does not help look at the strptime() function:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Example: index="indexname" sourcetype="Sourcetype" Search condition | eval date_time = strptime(Date, "%H:%M") | stats count by date_time

IF the issue your facing is with rex, look at the second link abo e for pattern options. Before you get into testing the strptime, you should confirm that your rex works.

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top