Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create correct format inside a multivalue field?

Flenwy
Explorer
‎08-07-2023 05:55 AM

Hello to all,

I have a multivalue field with a date and also a null value. In addition I have the problem that the format of the date is twisted from the original data.

Hope someone can help me 🙂

example:

outputdates (mv-field)
2023-07-29 12:06:20
28-07-2023 00:03:05
null

needed result:
outputdates (mv-field)
2023-07-29 12:06:20
2023-07-28 00:03:05

i tried splitting the field with mvexpand and then using strftime to adjust the format, unfortunately this is not working and i don't know exactly why.
Do I need to transform the "outputdates" as a time field to make strtime work again?

Am any help grateful.
Many greetings,
Flenwy



Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-07-2023 10:57 PM

You can do it like this

| makeresults
| fields - _time
| eval outputdates=split("2023-07-29 12:06:20,28-07-2023 00:03:05,", ",")
``` This uses any number of strftime variants to parse the dates - the succeeding one will prevail ```
| eval outputdates=mvmap(outputdates, strftime(max(
                         strptime(outputdates, "%F %T"), 
                         strptime(outputdates, "%d-%m-%Y %T")), 
                                               "%F %T"))

mvmap is used to iterate through the MV values. The first 3 lines set up your example

 

View solution in original post

Reply
Solved! Jump to solution

Flenwy
Explorer
‎08-17-2023 06:58 AM

Thank you all for the great help!
All your examples helped me understand some mechanics more in detail.

The solutions from @bowesmana was on the point the think i though about but i did not know how to do it.

Kind regards to all of you!

Reply
Solved! Jump to solution

Miasm1
Explorer
‎08-08-2023 12:27 AM

 

Hello Flenwy,

Certainly! It looks like you're dealing with dates in two different formats and also null values in a multivalue field. Here's a step-by-step solution to help you address the problem:

Identify the Format: You need to identify the format of each date string and then apply the necessary transformation. In your case, you have two formats: 'YYYY-MM-DD hh:mm:ss' and 'DD-MM-YYYY hh:mm:ss'.

Handle Null Values: Since you also have null values, you need to check for them before applying any transformations.

Transform the Dates: Depending on the identified format, you can then convert the date to the required format.

Here's a snippet of code that should help you achieve your goal:

from datetime import datetime

outputdates = [
    "2023-07-29 12:06:20",
    "28-07-2023 00:03:05",
    None
]

result = []

for date in outputdates:
    if date is None:
        continue
    try:
        # If it's in 'YYYY-MM-DD' format
        parsed_date = datetime.strptime(date, '%Y-%m-%d %H:%M:%S')
    except ValueError:
        # If it's in 'DD-MM-YYYY' format
        parsed_date = datetime.strptime(date, '%d-%m-%Y %H:%M:%S')

    result.append(parsed_date.strftime('%Y-%m-%d %H:%M:%S'))

print(result) # Output: ['2023-07-29 12:06:20', '2023-07-28 00:03:05']

 

The code snippet above reads through the outputdates list, recognizes the two formats, and standardizes them into the 'YYYY-MM-DD hh:mm:ss' format, ignoring any null values.

Remember to adjust the code according to your specific environment or programming language if you are not using Python.

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-07-2023 10:57 PM

You can do it like this

| makeresults
| fields - _time
| eval outputdates=split("2023-07-29 12:06:20,28-07-2023 00:03:05,", ",")
``` This uses any number of strftime variants to parse the dates - the succeeding one will prevail ```
| eval outputdates=mvmap(outputdates, strftime(max(
                         strptime(outputdates, "%F %T"), 
                         strptime(outputdates, "%d-%m-%Y %T")), 
                                               "%F %T"))

mvmap is used to iterate through the MV values. The first 3 lines set up your example

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2023 06:21 AM

To convert textual dates from one format to another requires both strptime and strftime.

| eval outputdates=if(match(outputdates,"\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d"), outputdates, strftime(strptime(outputdates, "%d-%m-%Y %H:%M:%S"), "%Y-%m-%d %H:%M:%S"))

Because strptime will return null if the input doesn't match the specified format, we use if to test for the format we want to convert.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...