Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not able to Extract Year and Quarter from the input field

gvssaicharan
Engager
‎03-29-2021 07:27 AM

I have a JSON Input Request like below

{"liabilityDetailsVOs":[{"processMasterId":null,"transactionMasterId":null,"transactionMasterType":null,"checkDate":"2020-12-31T00:00:00.000-0800","payrollCycleId":null,"payrollId":51113251,"cashCareXfer":null,"generalLedgerCoa99":null,"priorPeriodAdjustmentByCheck":null,"midYear":false,"midQuarter":false,"processDetailId":null,"transactionDetailId":null,"agencyId":1012,"companyAgencyId":51233519,"taxAmount":-72999.16,"amount2":null,"gross":null,"amount3":null,"traceId":null,"userField1":"V<%libh_id>","userField2":null,"userField3":null,"userField4":null,"userField5":null,"userField6":null,"userField7":null,"userField8":null,"tranCode":"2012","memo":null,"newAdjustment":false,"amendmentId":null,"depositCompanyId":51113251,"depositAgencyId":996,"depositCompanyAgencyId":51113260,"liabilityType":"7","liabilityPeriodEndDate":"2020-12-31T00:00:00.000-0800","fedPayAgent":"","entity":null,"liabilityId":null,"liabilityStatus":"0","forcedStatus":"0","processed":null,"depositAdjustedId":null,"payrollRunId":null,"rate":null,"commentCode":"35","previousLiabilityId":null,"totalEmployee":null,"femaleEmployeeCount":null,"maleEmployeeCount":null,"creditId":null,"paidBy":null,"sourceSystemIdentifier":null,"glAccount":null,"source":"VP","includeAmtInPlateau":true,"sundryFlag":"Y","varianceType":"3","fractionType":"NN","varianceDueDate":"2021-02-01T00:00:00.000-0800","formId":994,"id":null,"depositId":null,"holdFlag":null,"holdReasonCode":null,"createDate":"2021-01-03T00:00:00.000-0800","updateCredit":false,"cashStatus":null,"status":null,"depositHistoryStatus":null,"liabilitySource":null,"fullyAbsorbed":false,"insertMtLibDepHistStatus":false,"cartRate":null,"depositDate":null,"depositAmount":null,"deferralDepositAmount":null,"firstDeferralPayment":null,"secondDeferralPayment":null,"forcedDepositDueDate":null,"deferredLiabilityState":null,"deferredLiability":false,"dataType":null,"credit":false,"mmcommunicationIgnore":false,"createCouponCallRequired":false,"creditSplit":false,"creditGroupOne":false,"depositProcessed":false,"midQuarterSameAsSUI":false,"prepaidDummy":false,"depositedDummy":false,"notSystemAdjustment":true},{"processMasterId":null,"transactionMasterId":null,"transactionMasterType":null,"checkDate":"2020-12-31T00:00:00.000-0800","payrollCycleId":null,"payrollId":51113251,"cashCareXfer":null,"generalLedgerCoa99":null,"priorPeriodAdjustmentByCheck":null,"midYear":false,"midQuarter":false,"processDetailId":null,"transactionDetailId":null,"agencyId":195162,"companyAgencyId":51966742,"taxAmount":72999.16,"amount2":null,"gross":null,"amount3":null,"traceId":null,"userField1":"V<%libh_id>","userField2":null,"userField3":null,"userField4":null,"userField5":null,"userField6":null,"userField7":null,"userField8":null,"tranCode":"2012","memo":null,"newAdjustment":false,"amendmentId":null,"depositCompanyId":51113251,"depositAgencyId":996,"depositCompanyAgencyId":51113260,"liabilityType":"7","liabilityPeriodEndDate":"2020-12-31T00:00:00.000-0800","fedPayAgent":"","entity":null,"liabilityId":null,"liabilityStatus":"0","forcedStatus":"0","processed":null,"depositAdjustedId":null,"payrollRunId":null,"rate":null,"commentCode":"39","previousLiabilityId":null,"totalEmployee":null,"femaleEmployeeCount":null,"maleEmployeeCount":null,"creditId":null,"paidBy":null,"sourceSystemIdentifier":null,"glAccount":null,"source":"VP","includeAmtInPlateau":true,"sundryFlag":"Y","varianceType":"3","fractionType":"NN","varianceDueDate":"2021-02-01T00:00:00.000-0800","formId":994,"id":null,"depositId":null,"holdFlag":null,"holdReasonCode":null,"createDate":"2021-01-03T00:00:00.000-0800","updateCredit":false,"cashStatus":null,"status":null,"depositHistoryStatus":null,"liabilitySource":null,"fullyAbsorbed":false,"insertMtLibDepHistStatus":false,"cartRate":null,"depositDate":null,"depositAmount":null,"deferralDepositAmount":null,"firstDeferralPayment":null,"secondDeferralPayment":null,"forcedDepositDueDate":null,"deferredLiabilityState":null,"deferredLiability":false,"dataType":null,"credit":false,"mmcommunicationIgnore":false,"createCouponCallRequired":false,"creditSplit":false,"creditGroupOne":false,"depositProcessed":false,"midQuarterSameAsSUI":false,"prepaidDummy":false,"depositedDummy":false,"notSystemAdjustment":true}],"liabilitySource":"VP","processVO":{"ntProcess":null,"background":null,"processType":null,"companyGroupId":null,"marker":null,"ntProcessMaster":{"id":null,"ntProcess":null,"payrId":null,"tmstId":null,"periodEndDate":null,"amount1":null,"amount2":null,"amount3":null,"status":null,"creator":null,"createDate":null,"memo":null,"vschemaId":null,"midYear":null,"midQuarter":null,"description":null,"type":null,"applyToDate":null,"pfleId":null},"ntProcessDetail":{"id":null,"ntProcessMaster":null,"tdtlId":null,"amount1":null,"amount2":null,"amount3":null,"status":null,"tranCode":null,"creator":null,"createDate":null,"memo":null,"periodEndDate":null,"vschemaId":null,"outputFilename":null,"procId":null,"libhId":null,"dephId":null,"cagyId":null,"dueDate":null,"aid":null},"statusMessage":null,"feedback":{"errors":[],"warnings":[],"successes":[],"infos":[],"processId":null,"procMasterId":null,"messageIdMap":{},"userName":null,"errorMessages":[],"warningMessages":[],"infoMessages":[],"successMessages":[],"all":[]}}

Year_Quarter _BlankYear_Quarter _Blank


But I am not able to parse the Year & Quarter from the checkDate field. Below is what I am trying

|rename liabilityDetailsVOs{}.payrollId AS cpnyId, liabilityDetailsVOs{}.depositAgencyId AS majorAgency, liabilityDetailsVOs{}.taxAmount AS taxAmount,
liabilityDetailsVOs{}.sundryFlag AS isSundry, liabilityDetailsVOs{}.checkDate as checkDate
|eval chkdate=strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q")
|eval month=strftime(chkdate,"%m")
|eval year_quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4")."-".strftime(chkdate,"%Y")
|where cpnyId="51113251"
|table cpnyId majorAgency taxAmount isSundry checkDate month year_quarter

Labels (2)
Labels
0 Karma
Reply

rnowitzki
Builder
‎03-29-2021 07:59 AM

Hi  @gvssaicharan ,

Try this:

| eval month=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%m")
| eval quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4")
| eval year=strftime(strptime(checkDate,"%Y-%m-%dT%H:%M:%S.%Q"),"%Y")
| eval year_quarter=year."_".quarter


BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...