Solved: How to do data extraction?

mistydennis · ‎08-10-2022

I'm having trouble extracting some dates from a date field. Certain assets were provided with a generic date, and I can't seem to extract the date for these events.

Sample data:

lastscan	newdate
2022-08-10T06:51:33.874Z	2022-08-10
2022-08-10T00:06:19.920Z	2022-08-10
1969-12-31T23:59:59.999Z

SPL:
| eval newdate=strptime(lastscan,"%Y-%m-%d")
| eval newdate=strftime(newdate,"%Y-%m-%d")

As you can see, the events with the 1969 date are not extracting as expected and I'm getting no results for the "newdate" field.

Any thoughts on how I can extract the date from the 1969 events?

ITWhisperer · ‎08-10-2022

Epoch date times start from 1970 so if you are prepared to consider 1969-12-31T23:59:59.999 as 1970-01-01T00:00:00.000, then you could use fillnull

| eval newdate=strptime(lastscan,"%Y-%m-%d")
| fillnull value=0 newdate
| eval newdate=strftime(newdate,"%Y-%m-%d")

View solution in original post

ITWhisperer · ‎08-10-2022

Epoch date times start from 1970 so if you are prepared to consider 1969-12-31T23:59:59.999 as 1970-01-01T00:00:00.000, then you could use fillnull

| eval newdate=strptime(lastscan,"%Y-%m-%d")
| fillnull value=0 newdate
| eval newdate=strftime(newdate,"%Y-%m-%d")

How to do data extraction?

field extraction

table

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas