Hello Splunkers,
I have a question about data I am trying to draw from Splunk. If you look at the fields, I am am trying to do something like this.
Table
report_name, report_date, time
AReport 2016-07-08 1:00PM
BReport junkdatakdls;f 2:00PM
CReport morejunkkfkdsd 3:00PM
From the above, how can I ask Splunk to keep only the report_date multivalue field value (Type of YYYY-MM-DD)
I will like to leave the junk data out of that field, but do not want to restrict the count of rows either. So I would like to make any field that is not in a date format of YYYY-MM-DD just blank.
Thanks,
Daniel MacGillivray
In your search, you can filter out events that do not meet a specific pattern like this
... | regex report_date="\d{4}-\d\d-\d\d"
OR, if report_date is a multivalue field, you can use mvfilter
, like this
... | eval report_date=mvfilter(match(report_date, "\d{4}-\d\d-\d\d"))
In your search, you can filter out events that do not meet a specific pattern like this
... | regex report_date="\d{4}-\d\d-\d\d"
OR, if report_date is a multivalue field, you can use mvfilter
, like this
... | eval report_date=mvfilter(match(report_date, "\d{4}-\d\d-\d\d"))
Hi Sundareshr,
Thank You ! They both worked equally well. To add to these, I ended up finding some more records in this field than I wanted to see, so what I just added beginning and eol characters for good measure.
| regex report_date="^\d{4}-\d\d-\d\d$"
| eval report_date=mvfilter(match(Report_Date, "^\d{4}-\d\d-\d\d$"))