Solved: date parsing

DTERM · ‎06-27-2012

I've got date field in a splunk log that looks like: firstOccurrence=2012/06/27 14:55:12

Splunk does not interpret this as "date" field. As far as Splunk is concerned, it is only a set of strings. What query will allow me to query for all FirstOccurance that is older then 30 days?

Thanks in advance.

Lowell · ‎06-27-2012

You could do something like this:

Assuming splunk is extracting the field "firstOccurrence" with the value "2012/06/27 14:55:12", then you can add something like this to your search:

... | eval first=strptime(firstOccurrence, "%Y/%m/%d %H:%M:%S") | where relative_time(now(), "-30d")>first

However, if this should be the timestamp of your events, then you should get that corrected. Having events indexed without a proper timestamp will create all kinds of issues long-term.

View solution in original post

Lowell · ‎06-27-2012

You could do something like this:

Assuming splunk is extracting the field "firstOccurrence" with the value "2012/06/27 14:55:12", then you can add something like this to your search:

... | eval first=strptime(firstOccurrence, "%Y/%m/%d %H:%M:%S") | where relative_time(now(), "-30d")>first

However, if this should be the timestamp of your events, then you should get that corrected. Having events indexed without a proper timestamp will create all kinds of issues long-term.

DTERM · ‎06-28-2012

Perfect!! Thanks so much!!

Ayn · ‎06-27-2012

Isn't the issue here why you haven't had Splunk index this field as something it should use when timestamping events? You've asked about this in a separate thread, I think it's a better idea to carry on the discussion there.

date parsing

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk