Splunk Search

How to transform this date format from 20151412 to 2015-14-12 using rex?

bruno_eduardo
Path Finder

Hi,

I am getting the input source file date from the name of the file itself (sourcefilename20151412.csv), like this:

index="radius"   |eval subname=substr(source,14,8) |top subname |table subname

result: 20151412

I want to transform this time format from 20151412 to 2015-14-12

Is it possible with rex? I would like know more about rex.

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Rex is only one way to do this. You could use three substr commands to get the parts and then put them together using concatenation. Since you asked for rex, here is one method.

... | rex field=subname mode=sed "s/(\d{4})(\d{2})(\d{2})/\1-\2-\3/" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Rex is only one way to do this. You could use three substr commands to get the parts and then put them together using concatenation. Since you asked for rex, here is one method.

... | rex field=subname mode=sed "s/(\d{4})(\d{2})(\d{2})/\1-\2-\3/" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Perfectly valid approach. A quick test shows that eval/strptime is about 30% faster (on my laptop) when comparing to rex/sed with a query against a little over 100k sample events, so if efficiency is important, I would consider that.

If you want to test in your environment, try
... | eval myDate = strftime( subname, "%Y-%m-%d")

It won't help you in your quest to learn more about the rex command, though. 🙂

bruno_eduardo
Path Finder

Thank you

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Why not just follow it up with a | eval newDate = strptime(...) according to the docs here?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...