This is confusing: how do you get those "hard coded" text in the first place? In Splunk, the opposite is harder, rendering system date into English word strings. But if you got those strings in some...
See more...
This is confusing: how do you get those "hard coded" text in the first place? In Splunk, the opposite is harder, rendering system date into English word strings. But if you got those strings in some dataset, you sure can "translate" them back. Suppose your hard coded input is called hardcoded, this search will turn the string into systemdate: | eval decrement = case(
hardcoded == "Today", 0,
hardcoded == "Yesterday", 1,
true(), replace(hardcoded, "Last (\d+).+", "\1")
)
| eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F") decrement hardcoded systemdate 0 Today 2025-04-24 1 Yesterday 2025-04-23 2 Last 2nd Day 2025-04-22 3 Last 3rd Day 2025-04-21 4 Last 4th Day 2025-04-20 5 Last 5th Day 2025-04-19 Here is a full emulation for you to play with and compare with real data. | makeresults format=csv data="hardcoded
Today
Yesterday
Last 2nd Day
Last 3rd Day
Last 4th Day
Last 5th Day"
| eval decrement = case(
hardcoded == "Today", 0,
hardcoded == "Yesterday", 1,
true(), replace(hardcoded, "Last (\d+).+", "\1")
)
| eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F")