Splunk Search

What is the best method to add a field based upon another field?

a212830
Champion

Hi,

I have a number of pre-existing date fields from Nessus that are reported in epoch format. I'd like to add a new field that translates that field into Julian format. How would I do that?

This link had the same issue, but I don't see an answer. I know that this can be done at search time, but I want it done automatically, retaining the original field and adding a new one with the converted date.

https://answers.splunk.com/answers/499710/how-to-convert-epoch-to-human-readable-in-kv-mode.html

0 Karma

sloshburch
Splunk Employee
Splunk Employee

hey buddy - I'm confused on this one cause it sounds like you outlined the answer...so I prob am just misreading.

Here's what I interpreted (spot the mistake?):
You get data with a time stamp as epoch. When the data is searched, you want there to be available a field that presents the data formatted as Julian and you want it automatically part of the sourcetype (not put in search box each time).

I would solve this by adding a calculated field to the sourcetype (or source, or host) to automatically perform the strftime function of eval using the Common Time Format Variables:
julian = strftime( _time , "%Y%m%d")

Although I may be misunderstanding what you want with Julian since it seems to be defined as both YYYYMMDD and count of days since a point in time. Let us know which and we can keep moving.

0 Karma

a212830
Champion

Hey Burch,

Sorry - got sidetracked. I'll try this out - haven't done a calculated field before.

Thanks!

0 Karma

a212830
Champion

I was able to create a calculated field using this:

strftime(patchPubDate,"%Y-%m-%dT%H:%M:%S")

I do have another question. The large majority of these events don't have a valid epoch time - they come in with "-1". Should I add some logic to my field to bypass processing on those events?

I tried setting this up, but wasn't able to get it working:

if(patchPubDate>0),strftime(patchPubDate,"%Y-%m-%dT%H:%M:%S")

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hey hey - if you're just doing "%Y-%m-%dT%H:%M:%S" then you might find a simpler approach with

| convert ctime( patchPubDate )

The logic of the if statement is missing the else part. Share more info on why it wasn't working. What was the result? I'm guessing it threw an error in the UI.

Create your calculated field in an inline search before putting it into a new field. It will do wonders for debugging.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...