topic Re: assign value to earliest in Splunk Search

assign value to earliest

eranhauser — Fri, 06 Oct 2023 19:12:53 GMT

How I can assign a value to the earliest argument in my query which is the rounded to the last 10 minutes?
when I try index=aaa earliest=((floor(now()/600))*600 I get an error that ((floor(now()/600))*600 is an invalid term

Re: assign value to earliest

inventsekar — Fri, 06 Oct 2023 20:11:30 GMT

Hi @eranhauser ...

Please check this and update us:

|makeresults | eval timeTest=strftime((floor(now()/600))*600,"%Y-%m-%d %H:%M:%S") | search index=test earliest=timeTest

Re: assign value to earliest

eranhauser — Fri, 06 Oct 2023 20:38:39 GMT

We think alike. I tried that before and although I got no error I also got no result

Re: assign value to earliest

PickleRick — Fri, 06 Oct 2023 20:48:44 GMT

You can't do it like that. It's not an eval so the expression will be treated literally.

You'd have to use subsearch to create that value dynamically.

Re: assign value to earliest

eranhauser — Fri, 06 Oct 2023 21:21:46 GMT

Thank you. Putting the earliest and latest in the subserch worked

Re: assign value to earliest

inventsekar — Fri, 06 Oct 2023 21:27:38 GMT

Good, that you solved the issue..

its an interesting issue.. the floor command "was" working fine some years ago and now it seems something wrong.. i tried using eval and floor.. it gives a complaint that right side floor output can not be assigned to left side variable.. use bool command inside the if loop along with floor command. i tried but no luck.

i checked the eval's man page... but no luck. something wrong with eval command.
i tried the subsearch and return logic as well.. but no luck.

ok, its good that u r able to solve this issue now..

also please post your final SPL query also.. for everyone's learning. thanks.

Re: assign value to earliest

eranhauser — Sat, 07 Oct 2023 01:27:30 GMT

Below is the query one should use: [| makeresults | eval earliest=(floor(now()/600))*600-600, latest=(floor(now()/600))*600 ] | search index=test .... because the sub search is being executed first the query becomes: earliest=1234 latest=5678 index=test ... if one tries to rename earliest or latest with a different names (like my_early_time, my_latest_time) there will be no result as the query will be: my_early_time=1234 my_latest_time=5678 index=test ...