Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not able to Extract Year and Quarter from the input field

gvssaicharan
Engager
‎03-29-2021 07:27 AM

I have a JSON Input Request like below

{"liabilityDetailsVOs":[{"processMasterId":null,"transactionMasterId":null,"transactionMasterType":null,"checkDate":"2020-12-31T00:00:00.000-0800","payrollCycleId":null,"payrollId":51113251,"cashCareXfer":null,"generalLedgerCoa99":null,"priorPeriodAdjustmentByCheck":null,"midYear":false,"midQuarter":false,"processDetailId":null,"transactionDetailId":null,"agencyId":1012,"companyAgencyId":51233519,"taxAmount":-72999.16,"amount2":null,"gross":null,"amount3":null,"traceId":null,"userField1":"V<%libh_id>","userField2":null,"userField3":null,"userField4":null,"userField5":null,"userField6":null,"userField7":null,"userField8":null,"tranCode":"2012","memo":null,"newAdjustment":false,"amendmentId":null,"depositCompanyId":51113251,"depositAgencyId":996,"depositCompanyAgencyId":51113260,"liabilityType":"7","liabilityPeriodEndDate":"2020-12-31T00:00:00.000-0800","fedPayAgent":"","entity":null,"liabilityId":null,"liabilityStatus":"0","forcedStatus":"0","processed":null,"depositAdjustedId":null,"payrollRunId":null,"rate":null,"commentCode":"35","previousLiabilityId":null,"totalEmployee":null,"femaleEmployeeCount":null,"maleEmployeeCount":null,"creditId":null,"paidBy":null,"sourceSystemIdentifier":null,"glAccount":null,"source":"VP","includeAmtInPlateau":true,"sundryFlag":"Y","varianceType":"3","fractionType":"NN","varianceDueDate":"2021-02-01T00:00:00.000-0800","formId":994,"id":null,"depositId":null,"holdFlag":null,"holdReasonCode":null,"createDate":"2021-01-03T00:00:00.000-0800","updateCredit":false,"cashStatus":null,"status":null,"depositHistoryStatus":null,"liabilitySource":null,"fullyAbsorbed":false,"insertMtLibDepHistStatus":false,"cartRate":null,"depositDate":null,"depositAmount":null,"deferralDepositAmount":null,"firstDeferralPayment":null,"secondDeferralPayment":null,"forcedDepositDueDate":null,"deferredLiabilityState":null,"deferredLiability":false,"dataType":null,"credit":false,"mmcommunicationIgnore":false,"createCouponCallRequired":false,"creditSplit":false,"creditGroupOne":false,"depositProcessed":false,"midQuarterSameAsSUI":false,"prepaidDummy":false,"depositedDummy":false,"notSystemAdjustment":true},{"processMasterId":null,"transactionMasterId":null,"transactionMasterType":null,"checkDate":"2020-12-31T00:00:00.000-0800","payrollCycleId":null,"payrollId":51113251,"cashCareXfer":null,"generalLedgerCoa99":null,"priorPeriodAdjustmentByCheck":null,"midYear":false,"midQuarter":false,"processDetailId":null,"transactionDetailId":null,"agencyId":195162,"companyAgencyId":51966742,"taxAmount":72999.16,"amount2":null,"gross":null,"amount3":null,"traceId":null,"userField1":"V<%libh_id>","userField2":null,"userField3":null,"userField4":null,"userField5":null,"userField6":null,"userField7":null,"userField8":null,"tranCode":"2012","memo":null,"newAdjustment":false,"amendmentId":null,"depositCompanyId":51113251,"depositAgencyId":996,"depositCompanyAgencyId":51113260,"liabilityType":"7","liabilityPeriodEndDate":"2020-12-31T00:00:00.000-0800","fedPayAgent":"","entity":null,"liabilityId":null,"liabilityStatus":"0","forcedStatus":"0","processed":null,"depositAdjustedId":null,"payrollRunId":null,"rate":null,"commentCode":"39","previousLiabilityId":null,"totalEmployee":null,"femaleEmployeeCount":null,"maleEmployeeCount":null,"creditId":null,"paidBy":null,"sourceSystemIdentifier":null,"glAccount":null,"source":"VP","includeAmtInPlateau":true,"sundryFlag":"Y","varianceType":"3","fractionType":"NN","varianceDueDate":"2021-02-01T00:00:00.000-0800","formId":994,"id":null,"depositId":null,"holdFlag":null,"holdReasonCode":null,"createDate":"2021-01-03T00:00:00.000-0800","updateCredit":false,"cashStatus":null,"status":null,"depositHistoryStatus":null,"liabilitySource":null,"fullyAbsorbed":false,"insertMtLibDepHistStatus":false,"cartRate":null,"depositDate":null,"depositAmount":null,"deferralDepositAmount":null,"firstDeferralPayment":null,"secondDeferralPayment":null,"forcedDepositDueDate":null,"deferredLiabilityState":null,"deferredLiability":false,"dataType":null,"credit":false,"mmcommunicationIgnore":false,"createCouponCallRequired":false,"creditSplit":false,"creditGroupOne":false,"depositProcessed":false,"midQuarterSameAsSUI":false,"prepaidDummy":false,"depositedDummy":false,"notSystemAdjustment":true}],"liabilitySource":"VP","processVO":{"ntProcess":null,"background":null,"processType":null,"companyGroupId":null,"marker":null,"ntProcessMaster":{"id":null,"ntProcess":null,"payrId":null,"tmstId":null,"periodEndDate":null,"amount1":null,"amount2":null,"amount3":null,"status":null,"creator":null,"createDate":null,"memo":null,"vschemaId":null,"midYear":null,"midQuarter":null,"description":null,"type":null,"applyToDate":null,"pfleId":null},"ntProcessDetail":{"id":null,"ntProcessMaster":null,"tdtlId":null,"amount1":null,"amount2":null,"amount3":null,"status":null,"tranCode":null,"creator":null,"createDate":null,"memo":null,"periodEndDate":null,"vschemaId":null,"outputFilename":null,"procId":null,"libhId":null,"dephId":null,"cagyId":null,"dueDate":null,"aid":null},"statusMessage":null,"feedback":{"errors":[],"warnings":[],"successes":[],"infos":[],"processId":null,"procMasterId":null,"messageIdMap":{},"userName":null,"errorMessages":[],"warningMessages":[],"infoMessages":[],"successMessages":[],"all":[]}}

Year_Quarter _BlankYear_Quarter _Blank


But I am not able to parse the Year & Quarter from the checkDate field. Below is what I am trying

|rename liabilityDetailsVOs{}.payrollId AS cpnyId, liabilityDetailsVOs{}.depositAgencyId AS majorAgency, liabilityDetailsVOs{}.taxAmount AS taxAmount,
liabilityDetailsVOs{}.sundryFlag AS isSundry, liabilityDetailsVOs{}.checkDate as checkDate
|eval chkdate=strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q")
|eval month=strftime(chkdate,"%m")
|eval year_quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4")."-".strftime(chkdate,"%Y")
|where cpnyId="51113251"
|table cpnyId majorAgency taxAmount isSundry checkDate month year_quarter

Labels (2)
Labels
0 Karma
Reply

rnowitzki
Builder
‎03-29-2021 07:59 AM

Hi  @gvssaicharan ,

Try this:

| eval month=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%m")
| eval quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4")
| eval year=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%Y")
| eval year_quarter=year."_".quarter


BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...