topic Re: Use strftime eval in same query in Splunk Search

Use strftime eval in same query

jsmithn — Thu, 24 Oct 2019 20:28:46 GMT

I am trying to create a search that evaluates today's date and uses that output string/field as part of the search:

**sourcetype=named | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | search nowstr**

The unique string needed is "(serial 2019102402)" and I've confirmed the field "nowstr" is that exact string. I think I need a subsearch but cannot get it working:

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | table nowstr ]

LOG EVENT

HOSTNAME named[32473]: 24-Oct-2019 09:00:10.656 notify: info: zone example.com/IN: sending notifies (serial 2019102402)

Re: Use strftime eval in same query

richgalloway — Thu, 24 Oct 2019 22:19:40 GMT

Why do you think you need a subsearch? How is the first query failing you?
Does 'nowstr' contain quotes? If not, that may explain the failure.

Re: Use strftime eval in same query

tiagofbmm — Thu, 24 Oct 2019 22:23:44 GMT

You can use a subsearch of makeresults. You apply your eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" within the makeresults and do a return $nowstr.

In the end something like this:

Search sourcetype=named [ | makeresults | eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr]

Let me know

Re: Use strftime eval in same query

jsmithn — Fri, 25 Oct 2019 00:16:35 GMT

Trying that "Error in 'search' command: Unable to parse the search: unbalanced parentheses.". But I did not know about the return command, using that I was able to get it to work. There's likely a better, more elegant solution, but it returns the results expected! 🙂

Re: Use strftime eval in same query

jsmithn — Fri, 25 Oct 2019 00:19:44 GMT

Also works with either "makeresults" or "gentimes start=-1". I don't know the difference, if one is better (more economical for search).

Re: Use strftime eval in same query

jsmithn — Fri, 25 Oct 2019 00:25:48 GMT

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

Re: Use strftime eval in same query

jsmithn — Fri, 25 Oct 2019 00:27:27 GMT

I think that because of other posts in the community, seems like a subsearch is the way to accomplish what I want. The first query does not yield any results. 'nowstr' is defined by my statement above. Using today's date, its value is (serial 2019102402). No quotes.

Re: Use strftime eval in same query

woodcock — Sat, 26 Oct 2019 00:18:16 GMT

Like this:

| makeresults
| eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)"
| map search="search index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=named $nowstr$"