Solved: How to extract a field with date string values?

ashishlal82 · ‎03-08-2018

I extracted a field SNDateCreated (regex shown below), the values in this field are represented as strings.

index="win" source="ad" | rex "wCreated=\d{1,2}\:\d{1,2}\.\d{1,2}\s\w+\,\s\w+\s(?.*?)\s" | table SNDateCreated

My goal is to present SNDateCreated with dates 14 days back from now, it should be sorting based on the values in SNDateCreated rather than event dates.
Expected:
03/08/2018
03/07/2018
03/05/2018
..... going 14 days back.

elliotproebstel · ‎03-08-2018

If you have successfully extracted the dates into SNDateCreated and want to sort reverse-chronologically and retain only those in the last 14 days:

your search
| where date>=strftime(relative_time(now(), "-14d"), "%m/%d/%Y") 
| sort - date

View solution in original post

elliotproebstel · ‎03-08-2018

If you have successfully extracted the dates into SNDateCreated and want to sort reverse-chronologically and retain only those in the last 14 days:

your search
| where date>=strftime(relative_time(now(), "-14d"), "%m/%d/%Y") 
| sort - date

How to extract a field with date string values?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation