Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Convert string to date field for field extraction

AJNZAZ
Explorer
‎08-10-2017 07:25 AM

I have a python program that's generating logs with the following format START_DATE=08-AUG-2017

the problem is Splunk is interpreting the field value as a string and not a number, thus not a date. I would like to create a permanent field extraction to query the field as a date. How do I do that?

Reply

DalJeanis
Legend
‎08-10-2017 09:13 AM

At extract time, that is on this page - https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configuretimestamprecognition

The entries would look something like this...

[your source type or source or whatever]
TIME_PREFIX =  START_DATE=
TIME_FORMAT = %d-%b-%Y
TZ = whatever time zone your data is coming from

And if you also want the value stored as an epoch date in the START_DATE field as well, you could have a transform to do that... discussed here - http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configureindex-timefieldextraction

That might look something like this...

[<unique_transform_stanza_name>]
REGEX = .
FORMAT = START_DATE::$1
DEST_KEY = START_DATE
SOURCE_KEY = _time
0 Karma
Reply

mhouse3
Path Finder
‎08-10-2017 09:08 AM

This documentation speaks to the convert command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert

Example: index="indexname" sourcetype="Sourcetype" Search condition | convert auto(Date) | stats count by Date

If that does not help look at the strptime() function:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions

Example: index="indexname" sourcetype="Sourcetype" Search condition | eval date_time = strptime(Date, "%H:%M") | stats count by date_time

IF the issue your facing is with rex, look at the second link abo e for pattern options. Before you get into testing the strptime, you should confirm that your rex works.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...