I have a date field in a string with the format as mn/day/year. I need to extract the month from the same. Can someone help on this issue?
The best way I have found to do this is convert field to epoch time, then just pull the month out of that. For example:
| eval epochField=strptime(field, "%m/%d/%Y") | eval month=strftime(epochField, "%B")
The syntax will vary somewhat based on the exact format of the date and the exact format you want the month in. Refer to this document: http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Commontimeformatvariables
you can combine them into one eval, as well.
| eval month=strftime(strptime(field, "%m/%d/%y"), "%B")
Like this:
... | rex field=YourFieldHere "(^?<Month>[^\/]+)"
