Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Extract the day from the Day from the DATE in splunk

aditsss
Motivator
‎01-14-2021 11:31 AM

Hi Everyone,

I have one field called  BuildStartDate. Its showing Dates like below:

Mon Jan 11 09:00:13 MST 2021

Sun Jan 10 09:00:01 MST 2021

 

I want only  to Display BuildStartDate in following Format

Mon Jan 11 2021

Sun Jan 10 2021

Can someone guide me how can I do that.

Thanks in advance

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-14-2021 01:06 PM

There was a typo in my query, there shouldn't be space after field= 

Please try below;

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*") 
| eval TimeTaken=round('BuildDuration'/1000) 
| fieldformat TimeTaken = tostring(TimeTaken, "duration") 
| rex mode=sed field=BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g" 
| table ORG BuildResult BuildStartDate TimeTaken 
| where ORG="gcp"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-14-2021 01:06 PM

There was a typo in my query, there shouldn't be space after field= 

Please try below;

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*") 
| eval TimeTaken=round('BuildDuration'/1000) 
| fieldformat TimeTaken = tostring(TimeTaken, "duration") 
| rex mode=sed field=BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g" 
| table ORG BuildResult BuildStartDate TimeTaken 
| where ORG="gcp"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-14-2021 12:26 PM

Hi @aditsss,

You can use below query;

| rex mode=sed field= BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-14-2021 12:41 PM

@scelikok 

I tried like that but getting error in rex.

Can you guide me where I am wrong:

index="abc" sourcetype="xyzt" BuildName!="g*" (BuildResult ="*")|eval TimeTaken=round('BuildDuration'/1000) | fieldformat TimeTaken = tostring(TimeTaken, "duration")| rex mode=sed field= BuildStartDate "s/\d{2}:\d{2}:\d{2}\s[A-Z]{3}\s//g"|table ORG BuildResult BuildStartDate TimeTaken| where ORG="gcp"

Getting below Error:

Error in 'rex' command: Failed to initialize sed. cannot find sed command: B

Can you guide me where I am wrong.

Thanks in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...