Solved: Re: How to extract a field with date string values...

ashishlal82 · ‎03-08-2018

I extracted a field SNDateCreated (regex shown below), the values in this field are represented as strings.

index="win" source="ad" | rex "wCreated=\d{1,2}\:\d{1,2}\.\d{1,2}\s\w+\,\s\w+\s(?.*?)\s" | table SNDateCreated

My goal is to present SNDateCreated with dates 14 days back from now, it should be sorting based on the values in SNDateCreated rather than event dates.
Expected:
03/08/2018
03/07/2018
03/05/2018
..... going 14 days back.

elliotproebstel · ‎03-08-2018

If you have successfully extracted the dates into SNDateCreated and want to sort reverse-chronologically and retain only those in the last 14 days:

your search
| where date>=strftime(relative_time(now(), "-14d"), "%m/%d/%Y") 
| sort - date

View solution in original post

elliotproebstel · ‎03-08-2018

If you have successfully extracted the dates into SNDateCreated and want to sort reverse-chronologically and retain only those in the last 14 days:

your search
| where date>=strftime(relative_time(now(), "-14d"), "%m/%d/%Y") 
| sort - date

How to extract a field with date string values?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How to extract a field with date string values?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar