Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Convert string to date field for field extraction

AJNZAZ
Explorer
‎08-10-2017 07:25 AM

I have a python program that's generating logs with the following format START_DATE=08-AUG-2017

the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that?

Reply

DalJeanis
Legend
‎08-10-2017 09:13 AM

At extract time, that is on this page - https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition

The entries would look something like this...

[your source type or source or whatever]
TIME_PREFIX =  START_DATE=
TIME_FORMAT = %d-%b-%Y
TZ = whatever time zone your data is coming from

And if you also want the value stored as an epoch date in the START_DATE field as well, you could have a transform to do that... discussed here - http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction

That might look something like this...

[<unique_transform_stanza_name>]
REGEX = .
FORMAT = START_DATE::$1
DEST_KEY = START_DATE
SOURCE_KEY = _time
0 Karma
Reply

mhouse3
Path Finder
‎08-10-2017 09:08 AM

This documentation speaks to the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert

Example: index="indexname" sourcetype="Sourcetype" Search condition | convert auto(Date) | stats count by Date

If that does not help look at the strptime() function:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Example: index="indexname" sourcetype="Sourcetype" Search condition | eval date_time = strptime(Date, "%H:%M") | stats count by date_time

IF the issue your facing is with rex, look at the second link abo e for pattern options. Before you get into testing the strptime, you should confirm that your rex works.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...