Check if first occurrence of event is today

wu_weidong — Fri, 06 Dec 2019 03:02:19 GMT

I'm trying to check if the first occurrence of an event is today using the query below. However, I keep getting result as "0", indicating that there was no match, even though some of the dates are the same.

mysearch | stats earliest(_time) as firstSeen by item | fieldformat firstSeen=strftime(firstSeen, "%d-%m-%Y") | eval today_date=strftime(now(), "%d-%m-%Y") | eval result=if(firstSeen=today_date, "1", "0")

All of my results are "0", even for entries like the one below.

item     firstSeen     today_date    result
ABC      06-12-2019    06-12-2019    0

I even tried to change the if-condition to firstSeen!=today_date just to see what happens, and my result is still all '0', even for those where the dates don't match. It doesn't seem like the if-condition is being evaluated.

What should I do?

Re: Check if first occurrence of event is today

shandr — Fri, 06 Dec 2019 04:30:36 GMT

Use eval instead of fieldformat.

That fieldformat command changes the appearance of the results without changing the underlying value of the field. Refer to https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Fieldformat

topic Re: Check if first occurrence of event is today in Splunk Search

Check if first occurrence of event is today

Re: Check if first occurrence of event is today