Getting Data In

How to convert all fields that have "Date" in the name to a standard date format from JSON message data?

nfieglein
Path Finder

Hi,
I have a number of date fields in a JSON message. I would like to be able to use standard date comparison functions on those fields, but I have to convert them to date fields first. Is there a mechanism to convert all fields which have Date in the name?

Thanks

Tags (3)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

View solution in original post

nfieglein
Path Finder

The following from somesoni2 works perfectly! Thanks somesoni2!

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2
SplunkTrust
SplunkTrust

You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert

A sample will be

your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"

somesoni2
SplunkTrust
SplunkTrust

You're looking for a search time option or some automatic option (in props/transforms conf files)?

0 Karma

nfieglein
Path Finder

I would be fine with a search time option, but I would like to be able to add a correspnding epoch time field for every date value that I have, including multivalue fields.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...