Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to combine multiple time fields in order to create a full date for an event occurrence

asewell97
New Member
‎10-14-2019 06:32 AM

I currently have 3 different fields that contain parts of a date that must be put together to give a full time. I have day, hour and minute fields that are currently separate and need to be combined as I want to display the time an event occurred in a table.

1. Field 1 = day
2. Field 2 = hour
3. Field 3 = minute

I need it to be:

1. Field 1 = day:hour:minute

If someone could help with this it would be much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2019 07:37 AM

HI asewell97,
are youspeking of search time or index time? in other words: did you already indexed data and you want to display date field or you want to index events setting the correct timestamp using the three fields?

If you're working at search time, it's easy, use eval command in your searches:

| eval my_date=field1." ".field2.":".field3

If instead you are speaking of index time, please share an example of your logs to create the correct TIME_FORMAT option.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2019 07:37 AM

HI asewell97,
are youspeking of search time or index time? in other words: did you already indexed data and you want to display date field or you want to index events setting the correct timestamp using the three fields?

If you're working at search time, it's easy, use eval command in your searches:

| eval my_date=field1." ".field2.":".field3

If instead you are speaking of index time, please share an example of your logs to create the correct TIME_FORMAT option.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

asewell97
New Member
‎10-14-2019 08:12 AM

Hi, the eval command was what I was looking for. I've got it all working now so thanks for the help.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2019 07:36 AM

Use concatenation.

... | eval field=field1.":".field2.":"field3
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...