topic Re: why my eval strptime(substr()) field is not created ? in Getting Data In

why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 09:15:33 GMT

Hi,

I have a search like this :

index="test" sourcetype="B"
| dedup Id
| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")
| stats count(eval(Statut=="OK")) as OK count(eval(Statut=="KO")) as KO count(Statut) as TOTAL by horodate

This search works good with time picker "last 24h" :

but not with the time picker "Today" : it returns "no results found" whereas I have 3 events ...

I found that the

can you help me please ?

Re: why my eval strptime(substr()) field is not created ?

ITWhisperer — Thu, 29 Oct 2020 09:20:43 GMT

How many Statut fields do you have in interesting fields and what are their values?

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 09:25:53 GMT

hi @ITWhisperer

just one field Statut and 2 values OK,KO :

Re: why my eval strptime(substr()) field is not created ?

ITWhisperer — Thu, 29 Oct 2020 09:37:27 GMT

Sometimes stats has difficulty counting evals

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 09:56:52 GMT

hi @ITWhisperer

It doesn't work :

more weird, if I remove "by horodate" I get result BUT with nonsense TOTAL :

and same issue, when I run:

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")
| fieldformat horodate=strftime(horodate,"%Y-%m-%d")

I don't see a field "horodate" in my "Interesting fields":

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 10:29:55 GMT

What I have just notice is that all values of each field appear twice :

my props :

[B]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
INDEXED_EXTRACTIONS = json
TIME_PREFIX = Horodate

Re: why my eval strptime(substr()) field is not created ?

ITWhisperer — Thu, 29 Oct 2020 10:30:44 GMT

Try trimming Statut

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 10:48:35 GMT

hi @ITWhisperer

I tried with the eval trim :

and I removed the "by horodate" , the TOTAL is again nonsense :

Re: why my eval strptime(substr()) field is not created ?

ITWhisperer — Thu, 29 Oct 2020 11:09:19 GMT

Try removing empty values from Statut

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 12:56:14 GMT

No still same problem :

the thing you have to understand is that the problem is at this level in the command :

| eval horodate=strptime(substr(Horodate,1,10),"%Y-%m-%d")

the substr does not work.

Re: why my eval strptime(substr()) field is not created ?

ITWhisperer — Thu, 29 Oct 2020 13:24:24 GMT

Hi @mah

Given that Statut is a multi-value field, perhaps the same is true for Horodate. Please try

index="test" sourcetype="B" | dedup Id | stats count(Horodate)

Also, you could try

Re: why my eval strptime(substr()) field is not created ?

mah — Thu, 29 Oct 2020 13:44:18 GMT

Yes, It is as I said : all values in all fields was twice.

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

And finally my beginning query works well !

Thank you for your help.