Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Convert string to date field for field extraction

AJNZAZ
Explorer
‎08-10-2017 07:25 AM

I have a python program that's generating logs with the following format START_DATE=08-AUG-2017

the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that?

Reply

DalJeanis
Legend
‎08-10-2017 09:13 AM

At extract time, that is on this page - https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition

The entries would look something like this...

[your source type or source or whatever]
TIME_PREFIX =  START_DATE=
TIME_FORMAT = %d-%b-%Y
TZ = whatever time zone your data is coming from

And if you also want the value stored as an epoch date in the START_DATE field as well, you could have a transform to do that... discussed here - http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction

That might look something like this...

[<unique_transform_stanza_name>]
REGEX = .
FORMAT = START_DATE::$1
DEST_KEY = START_DATE
SOURCE_KEY = _time
0 Karma
Reply

mhouse3
Path Finder
‎08-10-2017 09:08 AM

This documentation speaks to the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert

Example: index="indexname" sourcetype="Sourcetype" Search condition | convert auto(Date) | stats count by Date

If that does not help look at the strptime() function:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Example: index="indexname" sourcetype="Sourcetype" Search condition | eval date_time = strptime(Date, "%H:%M") | stats count by date_time

IF the issue your facing is with rex, look at the second link abo e for pattern options. Before you get into testing the strptime, you should confirm that your rex works.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...