Hello,
I have a field name called "opened_at" where the date in this field is in text format (YYYY-MM-DD HH:MM:SS). Now, using "opened_at" field, I need to create a new field called "month_name" which should display only month in (MMM) format.
Example:- If my date in the field "opened_at" is in text format (2017-05-31 10:20:10), then the new field should be populated as "month_name" and it should show the result as "May".
Please help!
If you already have a field named opened_at extracted then do it this way -
<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")
Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions
A combination of strptime to convert the existing time into an epoch, then a strftime to convert it to the format you want.
... | eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")
Should do it.
A run anywhere example:
| makeresults
| eval opened_at = "2017-05-31 10:20:10"
| eval month_name = strftime(strptime(opened_at, "%Y-%m-%d %H:%M:%S"), "%B")
Also, "%b" could be used at the end to get the 3-character month abbreviation.
Links for reference:
Eval Date and Time functions
Common Time Format Variables
If you already have a field named opened_at extracted then do it this way -
<your search> | eval month_name=strftime(strptime(opened_at,"%F %T"),"%b")
Here are details of the time functions used - http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/CommonEvalFunctions