Hi all, I'm a bit new to Splunk - I'm trying to sort some data by month, but I'm running into some roadblocks doing so. I'd like to create a separate field, "month", based on the month value in a field called "date" with format "YYYY/MM/DD HH:MM:SS". I've tried
*code* | eval month = strftime(date,"%m") | stats sum(field1) by field2, field3, month
but it doesn't seem to be working for this format, as the "month" field shows up blank for all results and I get no results when trying to sort by this field. However, when I try to reorganize the date itself into a different format, it works:
*code* | eval new_date=strftime(strptime(date,"%Y/%m/%d"),"%m/%d/%y") | stats sum(field1) by field2, field3, new_date
And the output is as expected, with the information sorted by relevant fields and the new_date field formatted as MM/DD/YY.
Any thoughts on how I can do something similar and just get either "01" or "January" as the month field output?
... View more