I am trying to reformat a date field in Splunk. I have a field called "last_updated_date" and its value is 2012-04-03.
I am using the strptime command to reformat the field to the following: 04/03/12.
Here is my syntax:
eval last_updated_date=strftime(strptime(last_updated_date,"%Y-%b-%D"),"%M/%D/%Y")
However, it returns blank values in my output.
Thoughts?
There's (at least) two ways of dealing with this. If you want to change the raw data within the event as it is being indexed then as cvajs suggested, SEDCMD
is the route to take. It would look something like this:
[mysourcetype]
SEDCMD-date=s/\d{2}(\d{2})-(\d{2})-(\d{2})/\2\/\3\/\1/
(Assuming I got my sed syntax 100% correct)
Your strftime
+ strptime
approach should work as well. It obviously does not change the data in the index, but it should update the field correctly. But, I think you have your format strings wrong:
... | eval last_updated_date=strftime(strptime(last_updated_date,"%Y-%m-%d"),"%m/%d/%y")
There's (at least) two ways of dealing with this. If you want to change the raw data within the event as it is being indexed then as cvajs suggested, SEDCMD
is the route to take. It would look something like this:
[mysourcetype]
SEDCMD-date=s/\d{2}(\d{2})-(\d{2})-(\d{2})/\2\/\3\/\1/
(Assuming I got my sed syntax 100% correct)
Your strftime
+ strptime
approach should work as well. It obviously does not change the data in the index, but it should update the field correctly. But, I think you have your format strings wrong:
... | eval last_updated_date=strftime(strptime(last_updated_date,"%Y-%m-%d"),"%m/%d/%y")
i think SEDCMD is a better route
I am looking to reformat the date to MM/DD/YYYY. Should this be done in props instead?
so, maybe strptime would not be useful in this scenario?
you wrote "strftime"
is that the right command?
strftime takes (X) as epoch time and converts it to format Y
you dont have epoch time anywhere in your syntax. epoch is # of sec since jan 1 1970 00:00:00 UTC
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions