topic Re: How to export results from makeresult in query body ? in Getting Data In

How to export results from makeresult in query body ?

malear_ion — Thu, 11 Jul 2019 14:44:11 GMT

For example I have this query:

index=en_amp_api 
    [ | makeresults 
    | eval time = relative_time(now(),"-h@w1") 
    | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
    | eval earliest=strptime(format,"%m/%d/%Y") 
    | eval latest=relative_time(earliest,"+24h@h") 
| table earliest latest ]
| table earliest, latest
| ....

I see values of earliest and latest with table only [ ... ], but I can not see values after closing brackets !

I wont to see the value after closing brackets ! How is that possible?

Re: How to export results from makeresult in query body ?

Vijeta — Wed, 30 Sep 2020 01:13:16 GMT

@malear_ion Do you have any earliest and latest field in your index en_amp_api ?

Re: How to export results from makeresult in query body ?

malear_ion — Thu, 11 Jul 2019 15:41:14 GMT

No, is a replacement of search parameters

Re: How to export results from makeresult in query body ?

malear_ion — Thu, 11 Jul 2019 15:41:30 GMT

For example :

index=en_amp_api earliest=@w1 latest=@w2 | table hostname, last_seen

It's the same !

Re: How to export results from makeresult in query body ?

woodcock — Thu, 11 Jul 2019 20:32:38 GMT

What is it with pictures lately? I wish answers would disable that. We need your raw text so that we can work with it.

Re: How to export results from makeresult in query body ?

woodcock — Thu, 11 Jul 2019 20:36:26 GMT

To answer your question, see here:
https://answers.splunk.com/answers/689333/earliest-is-the-maxtimestamp-from-an-inputlookup.html
But that is overkill, just do this:

index=en_amp_api earliest=-h@w1 latest=-h@w1+24h@h

Re: How to export results from makeresult in query body ?

malear_ion — Fri, 12 Jul 2019 06:05:36 GMT

Sorry, I understand
I will make changes !

Re: How to export results from makeresult in query body ?

malear_ion — Fri, 12 Jul 2019 06:14:58 GMT

I need to change values: earliest and latest in different cases, so I can not set the search parameters after the index .
I need to change by setting the higher or lower value, search for different cases runs at the time indicated by earliest and latest.

Re: How to export results from makeresult in query body ?

jitendragupta — Fri, 12 Jul 2019 06:59:10 GMT

As per my understanding, u want to generate earliest and latest epochs from makeresult query and want to pass it to your index query.
Please try this code:

| makeresults 
     | eval time = relative_time(now(),"-h@w1") 
     | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
     | eval earliest=strptime(format,"%m/%d/%Y") 
     | eval latest=relative_time(earliest,"+24h@h") | table earliest latest 
     | map maxsearches=1000 search="search index=en_amp_api earliest=$earliest$ latest=$latest$ | table <list of fields> "

Let me know if it work.

Re: How to export results from makeresult in query body ?

malear_ion — Wed, 30 Sep 2020 01:17:38 GMT

Unfortunately, the proposed solution does not work ...
I have different case:

| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

Re: How to export results from makeresult in query body ?

malear_ion — Fri, 12 Jul 2019 08:22:43 GMT

I have different case:

  | eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month") 
    | eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")

Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2

because the search work only on first case.
That's why I try something this to do earliest and latest as variables.

Re: How to export results from makeresult in query body ?

malear_ion — Wed, 30 Sep 2020 01:17:41 GMT

I have different case:

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.

I try something this to do earliest and latest as variables:

| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest = strptime(format,"%m/%d/%Y")
| eval latest = relative_time(earliest,"+24h@h")
| eval format_earliest = strftime(earliest,"%m/%d/%Y %H:%M:%S")
| eval format_latest = strftime(latest,"%m/%d/%Y %H:%M:%S")
| table format_earliest format_latest

Re: How to export results from makeresult in query body ?

malear_ion — Fri, 12 Jul 2019 08:36:38 GMT

Unfortunately, the proposed solution does not work

Re: How to export results from makeresult in query body ?

jitendragupta — Fri, 12 Jul 2019 08:49:03 GMT

What is the error you are getting? Please provide some screenshot.

Re: How to export results from makeresult in query body ?

woodcock — Mon, 15 Jul 2019 15:56:13 GMT

Give us TWO FULL examples of what you are trying to do starting with the raw event data and ending with a mockup of the final results, with detailed pseudocode descriptions of the steps required. I have no idea what you mean by this comment. It very much seems like you are going about this completely the wrong way.