Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change format and then insert+combine them

prot3ctor
New Member
‎10-24-2019 08:11 AM

Hello.

Could anyone help me out?
I have a DoB string with the following format dob='2002-01-03'
I would like to format this string to look like this: 020103

And then i would like to insert this data into an other sting after the 1st number which looks like this: data='1384198'

So in the end i would get data2='1020103384198'

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-24-2019 09:22 AM

@prot3ctor ,

Try

"Your search with fields dob,data"
|eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d")
|rex field=data "(?<_f>.)"|eval newString=replace(data,"^.",_f.newString)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-17-2019 02:25 PM

Like this:

| makeresults 
| eval dob="2002-01-03", data="1384198"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval data2 = substr(data, 1, 1). replace(dob, "^..|-", "") . substr(data, 2)
0 Karma
Reply
Solved! Jump to solution

prot3ctor
New Member
‎11-18-2019 01:54 PM

It wasnt working for me at 1st cause i had to strip the single quotes from data first. Then i managed to get it to work

Thanks a lot 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-24-2019 09:22 AM

@prot3ctor ,

Try

"Your search with fields dob,data"
|eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d")
|rex field=data "(?<_f>.)"|eval newString=replace(data,"^.",_f.newString)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

prot3ctor
New Member
‎11-18-2019 01:55 PM

It wasnt working for me at 1st cause i had to strip the single quotes from data first. Then i managed to get it to work

Thanks a lot 🙂

0 Karma
Reply
Solved! Jump to solution

prot3ctor
New Member
‎11-17-2019 09:14 AM

Hi. So this only puts the 2 strings next to each other. Is there a way to insert 1 string after the 1st character of the 2nd string?
Example:
dob=861010
ssn=123456

So in the end i would get a value what looks like this: 186101023456

Thanks

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-17-2019 08:46 PM

@prot3ctor ,

This is what I tried with the strings you provided

|makeresults|eval dob="2002-01-03",data="1384198"
|eval newString=strftime(strptime(dob,"%Y-%m-%d"),"%y%m%d")
|rex field=data "(?<_f>.)"|eval newString=replace(data,"^.",_f.newString)

and the result is 1020103384198

dob="2002-01-03" => 020103
date = 1384198
Result = 1 020103 384198

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

prot3ctor
New Member
‎10-31-2019 07:32 AM

Will try. Thanks 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...