We have a field in some of the JSON that that is a string representation of a date. The date is formatted like this:
Tue, 31 Dec 2013 17:48:19 +0000
How can I convert this string into a date, so that we can parse various parts of the date out at search-time? Currently it seems that we cannot convert it at all, and the resulting fieldname comes out blank. Ex:
... | convert timeformat="%Y-%m-%d" ctime(OUR_DATE_FIELD) AS day | table OUR_DATE_FIELD, day
... | convert timeformat="%Y-%m" ctime(OUR_DATE_FIELD) AS month | table OUR_DATE_FIELD, month
... | eval day=strftime(OUR_DATE_FIELD, "%y-%m-%d") | table OUR_DATE_FIELD, day
However, if we replace OUR_DATE_FIELD with _time, it obviously resolves correctly.
Inevitably I would like to be able to easily toggle between report types like:
... | convert timeformat="%Y-%m-%d" ctime(OUR_DATE_FIELD) AS day | timechart count by day
... | convert timeformat="%Y-%m" ctime(OUR_DATE_FIELD) AS month | timechart count by month
... View more