Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract age from a birthday field before the year of our Splord 1970?

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-22-2015 03:30 PM

Dearest Brethren and Sistren of Splunk Almighty,

Do thou hearst my plea?

A field by the name bday cometh forth in the form of 1967-05-05 00:00:00

How dost thou eval an age value for years before the year of our Splord 1970 ? 

| eval age = tonumber(strftime(now(),"%Y")) - tonumber(strftime(strptime(bday, "%F %H:%M:%S"), "%Y"))

leaveth out far too many unixasaurus-rexes.

Rexes... rexes...Is this the only way?

| rex field=bday "(?<year>\d{4})"
| eval age = tonumber(strftime(now(),"%Y")) - tonumber(year)

Pray tell, you have an answer for thine humble servant ? The forbidden dark arts of custom search commands aside, I pray that your witchcraft cometh to my aid.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎04-22-2015 04:46 PM

In the year of our Splord Two Thousand and Fifteen, having been questioned by a knight of such standing as @aljohnson_splunk, I questioned, pondered, and, yes, even cogitated, upon the answer that might be provided, other than that of the Rex. For it wasn't too many fortnights ago, I had wandered into a tavern of such reputable pestilence, and found myself embolden to try such a feat of cunning as was required of my constitution. Alas, I had traveled far that day, and wearily I drank grogs of mead and wine, until I found myself so inebriated, I could barely stand. As I sat in a stupor, groggy, yet lucid, as is know in the mythical device of Ballmer's Peak, I perplexed upon the age of my own self. For having been born in a year predating that of my lover's time, her name of course being Tuxette, it was unknown to me how to evaluate such differences. After nearly another pint of mead, I found myself in a fleeting moment of clarity. Having found myself staring at the date of my birth, it dawned on me!

eval age = tonumber(strftime(now(), "%Y")) - tonumber(mvindex(split(bday,"-"),0))

Of Course! The answer stared at me in ways that made me wonder if my father was birthed from the stars, and my mother the depths of hell. Cumbersome as it can be, it is a single evaluation, lending it self to further exploration and interpolation. Now, if thrown upon the rake of a file known to be props.conf, we can automatically and effortless deduce our age of existence.

[<sourcetype>]
EVAL-age = tonumber(strftime(now(), "%Y")) - tonumber(mvindex(split(bday,"-"),0))

And thusly! Our search must never need to include such evaluation, as it will automatically be added to the fields of interest! Rushing out of the tavern, I found myself stumbling and careening at such velocity with such excitement! Now the prayer of the humble servant has been hopefully answered, with nary an incantation! For I, merely a humble Lord of Splunktonia, wishes nothing but education and enlightenment upon the masses of this fair land. For only as we learn and grow in our ways, can we truly find that which we seek!

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎04-22-2015 04:46 PM

In the year of our Splord Two Thousand and Fifteen, having been questioned by a knight of such standing as @aljohnson_splunk, I questioned, pondered, and, yes, even cogitated, upon the answer that might be provided, other than that of the Rex. For it wasn't too many fortnights ago, I had wandered into a tavern of such reputable pestilence, and found myself embolden to try such a feat of cunning as was required of my constitution. Alas, I had traveled far that day, and wearily I drank grogs of mead and wine, until I found myself so inebriated, I could barely stand. As I sat in a stupor, groggy, yet lucid, as is know in the mythical device of Ballmer's Peak, I perplexed upon the age of my own self. For having been born in a year predating that of my lover's time, her name of course being Tuxette, it was unknown to me how to evaluate such differences. After nearly another pint of mead, I found myself in a fleeting moment of clarity. Having found myself staring at the date of my birth, it dawned on me!

eval age = tonumber(strftime(now(), "%Y")) - tonumber(mvindex(split(bday,"-"),0))

Of Course! The answer stared at me in ways that made me wonder if my father was birthed from the stars, and my mother the depths of hell. Cumbersome as it can be, it is a single evaluation, lending it self to further exploration and interpolation. Now, if thrown upon the rake of a file known to be props.conf, we can automatically and effortless deduce our age of existence.

[<sourcetype>]
EVAL-age = tonumber(strftime(now(), "%Y")) - tonumber(mvindex(split(bday,"-"),0))

And thusly! Our search must never need to include such evaluation, as it will automatically be added to the fields of interest! Rushing out of the tavern, I found myself stumbling and careening at such velocity with such excitement! Now the prayer of the humble servant has been hopefully answered, with nary an incantation! For I, merely a humble Lord of Splunktonia, wishes nothing but education and enlightenment upon the masses of this fair land. For only as we learn and grow in our ways, can we truly find that which we seek!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...