Is it possible to somehow combine the date_year, date_month and date_mday fields into a single date field?
I need to do this for charting purposes.
Yes:
... | strcat date_year "-" date_month "-" date_mday date_str
or
... | eval datestr=date_year."-".date_month."-".date_mday
or
... | eval datestr=strftime(_time, "%Y-%m-%d")
I would suggest to use the last one, as it is possible that the date_* fields are missing from the event.
Try:
| eval full_date = date_year." ".date_month." ".date_mday
You can format that in whatever way you want, the area between " " is the seperator.
This was found under the eval command reference here.
Yes:
... | strcat date_year "-" date_month "-" date_mday date_str
or
... | eval datestr=date_year."-".date_month."-".date_mday
or
... | eval datestr=strftime(_time, "%Y-%m-%d")
I would suggest to use the last one, as it is possible that the date_* fields are missing from the event.