Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

unable to convert string type date format to Date format.

satishachary199
New Member
‎06-15-2018 01:05 PM

My uploaded source having String type date format with different types like ('MAY-15' ,'May-2015','MAY-2015', 'May-15' ) want to covert all this to Date format like "MAY-2015" while searching for report.

Thanks in Adavance.

Tags (1)
0 Karma
Reply

niketn
Legend
‎06-17-2018 12:43 AM

@satishachary1991 are you uploading this as lookup or indexing in Splunk? Can you add few sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-15-2018 02:51 PM

In your specific case (as you describe the data above):

...| rex field=data mode=sed "s/([a-z]+)-20(\d+)/\\1-\\2/" 
| eval data=upper(data) 
| rex field=data mode=sed "s/-/-20/"

should give you a date like MAY-2015 in all these cases. It also assumes that the file data has MMM-YYYY or MMM-YY as the format.

0 Karma
Reply

satishachary199
New Member
‎06-15-2018 08:32 PM

yes the format is 'MMM-YY', thank you for solution, its working fine for 2015 only in my case not working with other year like 2016,2013,2014 , the result is coming ('APR-202012' , 'APR-202016', 'OCT-202013')
and still it's string type for that when applying "sort -data" its sorting alphabetically , can we able to make sort month wise and year wise by coverting date format?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-16-2018 12:17 PM

The change that needs to be made to the above was to include both upper and lower case in the regular expression. Here is a run-anywhere example that works for what you want.

| makeresults
| eval data="('MAY-15' ,'May-2015','MAY-2015', 'May-15' , 'may-2014', 'MaY-2016')"
| rex field=data mode=sed "s/([A-Za-z]+)-20(\d+)/\\1-\\2/g" 
| eval data=upper(data) 
| rex field=data mode=sed "s/-/-20/g"
0 Karma
Reply

somesoni2
Revered Legend
‎06-15-2018 01:42 PM

Look at lower function available with eval to normalize the case of value of a field.

0 Karma
Reply

satishachary199
New Member
‎06-16-2018 06:00 AM

Hi somesoni , i tried with your answer , actually the probem i am facing with in my .csv file the filed represent MMM-YY format , when i am uploading in splunk and doing search i am not able to convert String type to date type. for that i am missing date functionality search. Could you help on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...