Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a numeric alternative to date_month?

atornes
Path Finder
‎09-27-2012 01:18 PM

I'm trying to use a lookup table to get the # of days in the current month (I was told at .conf2012 that is the only way to do it). If there is an operator to return this (similar to date_mday) that would be fantastic, but if not....

I was told that the date_month field returned a numeric value for the month (i.e. September = 9) but it does not, it returns a string like "september".

Is there a numeric alternative to this operator where it would return 09 or 9?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-27-2012 01:44 PM

It would be better to use

| eval month=strftime(_time,"%m")

even if date_month exists

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-27-2012 02:40 PM

btw, a lookup is not the only way. you can use a case() function in the eval search command, and while it's a long expression, you can make that expression into a macro.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-27-2012 01:44 PM

It would be better to use

| eval month=strftime(_time,"%m")

even if date_month exists

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-27-2012 02:35 PM

correct. it is a bad idea to use the date_* fields because:

  • they may not exist on all events, depending how the timestamp was extracted
  • they are not normalized for time zone or DST, but simply have whatever value was represented in the raw event

therefore, as lguinn says, it's a lot better to derive it from _time.

but all that said, it's possible to make a lookup table to map from the english name ("september") to the number of days if you really insisted on using date_month (or used month_text=strftime(_time,"%b")

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-27-2012 01:43 PM

yes, use a convertion of _time field.

mysearch |  convert timeformat="%m" ctime(_time) AS date_month_numeric  | table _time date_month date_month_numeric

see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/convert

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-27-2012 02:37 PM

in general, if an eval function exists, it is preferred over a standalone search command, eg., strftime() or strptime() is slightly better than convert, case() is better than rangemap etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...