Hello.
I am having issues with breaking a timestamp field into its components.
Currently the field is in the format of: 2015-04-14 19:25:21
I need the data to be in separate fields: *Year, month, day, hour, minute *
I have tried variations on eval using strptime, strftime, and have looked at using a REX on it, however, I am not making progress.
This will be a heavily used set of fields, so I would prefer to get this into my props file rather than being a searchtime action. My current props.conf is:
[csv-cdr]
CHECK_FOR_HEADER = false
KV_MODE = auto
NO_BINARY_CHECK = 1
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = False
pulldown_type = 1
FIELD_DELIMITER = ,
FIELD_NAMES = [ clid,src,dst,dcontext,channel,dstchannel,lastapp,lastdata,start,answer,end,duration,billsec,disposition,amaflags,accountcode,unique
id,userfield,peeraccount,linkedid,sequence
Thanks.
This regex should extract the parts you want.
"(?P<year>\d{4})-(?P<mon>\d{2})-(?P<date>\d{2}) (?P<hour>\d{2}):(?P<minute>\d{2})"
This regex should extract the parts you want.
"(?P<year>\d{4})-(?P<mon>\d{2})-(?P<date>\d{2}) (?P<hour>\d{2}):(?P<minute>\d{2})"
Hi Rich. Great - that worked perfectly.
How would I go about incorporating that in an index time thing.... I guess that props or transforms but not sure which or how.
Thanks again.
This should get you going.
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Configureindex-timefieldextraction