topic Re: Return date string from a subsearch in Splunk Search

Return date string from a subsearch

maxzintel — Mon, 01 Apr 2019 16:07:10 GMT

Hi all,

I am attempting to rename a column titled 'Yesterday' with yesterday's date. The goal is it would look like this: 'Yesterday (2019-03-31 UTC)'.

My initial solution to this was using a subsearch to output a strftime date that was converting the relative_time Unix timestamp of the end of yesterday. Code:

| rename Yesterday as [search index=example (earliest=-1d@d latest=@d) 
| eval endOfYesterday=relative_time(now(), "-1d@d")
| eval endDate=strftime(endOfYesterday, "%Y-%m-%d")
| eval yesterdayFieldName="\"Yesterday (".endDate." UTC)\""
| return $yesterdayFieldName]

As of recently, this was working. Outside of a subsearch/rename, it still outputs the correct values. I haven't altered the search at all since then. The only things I can think of that changed between then and now that are possibly relevant is that we updated from Splunk Enterprise 7.2.1 to 7.2.4, and the US had daylight savings time.

Other potentially relevant info: I can pass an integer through the return (like stats count as num and swapping endDate for num in yesterdayFieldName) and it works. The error message I get is:

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+.

If anyone has any insight into what may be happening here or workarounds I can try, it would be much appreciated! Thank you in advance.

Re: Return date string from a subsearch

somesoni2 — Mon, 01 Apr 2019 19:39:49 GMT

Use this instead

| rename Yesterday as [ | makeresults 
 | eval search="\"Yesterday (".strftime( relative_time(now(),"-1d@d"),"%Y-%m-%d)\"")
 | table search]

Re: Return date string from a subsearch

maxzintel — Mon, 01 Apr 2019 19:52:10 GMT

Works like a charm! Thank you. Any idea why this method works and my original one did not?

Re: Return date string from a subsearch

somesoni2 — Mon, 01 Apr 2019 20:23:43 GMT

I believe your base search in that subsearch (index=example (earliest=-1d@d latest=@d)) might not be returning anything. Since you want to return a index-independent value, I would rather use makeresults than doing a search on an index.

You can confirm that by running this

 | rename Yesterday as [| makeresults 
 | eval endOfYesterday=relative_time(now(), "-1d@d")
 | eval endDate=strftime(endOfYesterday, "%Y-%m-%d")
 | eval yesterdayFieldName="\"Yesterday (".endDate." UTC)\""
 | return $yesterdayFieldName]

Re: Return date string from a subsearch

maxzintel — Mon, 01 Apr 2019 20:51:06 GMT

You are right. Since there were no events in the specified range (earliest=-1d@d latest=@d) I believe I was unable to get any timestamps to run relative_time() against. Thanks a bunch again! This was very helpful.