You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert
A sample will be
your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"
The following from somesoni2 works perfectly! Thanks somesoni2!
your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"
You can have a look at the convert command which can convert a string to date and can take wildcard in the field name.
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Convert
A sample will be
your base search | convert mktime(*_date) as *_date_epoch timeformat="%Y-%m-%d %H:%M:%S"
You're looking for a search time option or some automatic option (in props/transforms conf files)?
I would be fine with a search time option, but I would like to be able to add a correspnding epoch time field for every date value that I have, including multivalue fields.