- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Place value in custom column if date is a cert...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to populate a custom column if a date stamp (that has been converted to epoch) if that date stamp matches to a certain month, like so:
| eval month=strftime("Step Date Completed","%b")
| eval January=case(month=="jan",winRate)
| eval February=case(month=="feb",winRate)
| eval March=case(month=="mar",winRate)
| eval April=case(month=="apr",winRate)
| eval May=case(month=="may",winRate)
| eval June=case(month=="jun",winRate)
| eval July=case(month=="jul",winRate)
| eval August=case(month=="aug",winRate)
| eval September=case(month=="sept",winRate)
| eval October=case(month=="oct",winRate)
| eval November=case(month=="nov",winRate)
| eval December=case(month=="dec",winRate)
However, that doesn't seem to be working. How would I accomplish this? Note, each month above corresponds to a custom column.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your comments, you need to convert to epoch and then to a string with month. The format of your date field looks to be a string, not epoch. Also, try an if statement.
| eval month=strftime(strptime('Step Date Completed',"%Y-%m-%d %H:%M:%S.%6N"),"%b")
| eval January=if(month="Jan",winRate,null())
| eval February=if(month="Feb",winRate,null())
| eval March=if(month="Mar",winRate,null())
| eval April=if(month="Apr",winRate,null())
| eval May=if(month="May",winRate,null())
| eval June=if(month="Jun",winRate,null())
| eval July=if(month="Jul",winRate,null())
| eval August=if(month="Aug",winRate,null())
| eval September=if(month="Sept",winRate,null())
| eval October=if(month="Oct",winRate,null())
| eval November=if(month="Nov",winRate,null())
| eval December=if(month="Dec",winRate,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your comments, you need to convert to epoch and then to a string with month. The format of your date field looks to be a string, not epoch. Also, try an if statement.
| eval month=strftime(strptime('Step Date Completed',"%Y-%m-%d %H:%M:%S.%6N"),"%b")
| eval January=if(month="Jan",winRate,null())
| eval February=if(month="Feb",winRate,null())
| eval March=if(month="Mar",winRate,null())
| eval April=if(month="Apr",winRate,null())
| eval May=if(month="May",winRate,null())
| eval June=if(month="Jun",winRate,null())
| eval July=if(month="Jul",winRate,null())
| eval August=if(month="Aug",winRate,null())
| eval September=if(month="Sept",winRate,null())
| eval October=if(month="Oct",winRate,null())
| eval November=if(month="Nov",winRate,null())
| eval December=if(month="Dec",winRate,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two minor revisions might make the difference. First, you'll need to use single quotes around the field name 'Step Date Completed', or else the strftime function is going to try to evaluate against the literal string Step Date Completed. Second, the matches in your month checks will be case-sensitive, and Splunk is going to return month names with the first letter capitalized. Give this a try:
| eval month=strftime('Step Date Completed',"%b")
| eval January=case(month=="Jan",winRate)
| eval February=case(month=="Feb",winRate)
| eval March=case(month=="Mar",winRate)
| eval April=case(month=="Apr",winRate)
| eval May=case(month=="May",winRate)
| eval June=case(month=="Jun",winRate)
| eval July=case(month=="Jul",winRate)
| eval August=case(month=="Aug",winRate)
| eval September=case(month=="Sept",winRate)
| eval October=case(month=="Oct",winRate)
| eval November=case(month=="Nov",winRate)
| eval December=case(month=="Dec",winRate)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck, for reference here is what my date stamps look like before converting to epoch (step date completed): 2018-02-22 21:54:00.380000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run this and tell me the output:
your base search that creates the field `Step Date Completed` as an epoch time
| eval month=strftime('Step Date Completed',"%b")
| table 'Step Date Completed' month
I can help troubleshoot with that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well , first of all %b returns stuff like this - %b=Abbreviated month name. (Jan, Feb, etc.)
You are doing exact string matching,, jan is not equal to Jan.
Try changing your first letters after == to caps.
Second, i don't think you need == a single = should work.
If you are still not getting the results, i would like to see samples of your Step Date Completed field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck, for reference here is what my date stamps look like before converting to epoch (step date completed): 2018-02-22 21:54:00.380000
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
