topic Re: How do I search using an evaluated numeric field in Splunk Search

How do I search using an evaluated numeric field

arungeorge09 — Tue, 13 Jan 2015 18:29:22 GMT

 index=xxx event="NEAT-IN" platform=apns   |eval epochT=relative_time(now(), "-2d@d") | eval day= strftime(epochT,"%d") | eval month=strftime(epochT,"%m")| eval year=strftime(epochT,"%Y") |fields day,*| search date_mday=day

This search is not working as expected. If I list the results I can see 11,11 for table date_mday,day .

Re: How do I search using an evaluated numeric field

arungeorge09 — Tue, 13 Jan 2015 18:48:32 GMT

Anybody knows how do I do this. This is very simple query but simply not working.

Re: How do I search using an evaluated numeric field

somesoni2 — Tue, 13 Jan 2015 18:55:42 GMT

Try this

index=xxx event="NEAT-IN" platform=apns [| gentimes start=-1 | eval date_mday=tonumber(strftime(relative_time(now(), "-2d@d"),"%d"))  | table date_mday ]

Re: How do I search using an evaluated numeric field

arungeorge09 — Mon, 28 Sep 2020 18:37:43 GMT

I have already a field called date_mday . I just need to match it. Here is my problem.

Following is my data

 12/13/14 10:23:17.489 AM <167>1 2014-12-12T21:53:17.489-07:00 x.y.com neat 6627 apns [meta@28281 sequenceId="70840" sysUpTime="1093867625"][analytics@28281 event="NEAT-IN" platform="APNS"] {"timestamp":"1418446397487","platform":"apns","alertId":"142900204","appId":"appId","args":{},"deviceToken":"devToen","alert":"Message"}

As you can see I can't rely on _time as this is different and hence my dashboard queries with earliest=-1d@d is wrong. I instead want _time to be the time stamp after '<167> 1'. How do I do that. So my solution was to use the parsed fields date_mday which actually represents this second timestamp and match with current time and then use this inside dashboard query.

Re: How do I search using an evaluated numeric field

arungeorge09 — Tue, 13 Jan 2015 19:26:48 GMT

This is working man yes. I need to still understand what is being done here and why the simple query is not. what is gentimes . why a subquery required

Re: How do I search using an evaluated numeric field

somesoni2 — Tue, 13 Jan 2015 19:47:30 GMT

The gentimes is just a command to generate a row without hitting any index. You can use "| gentimes start=-1" OR "| stats count" to generate single row which will be used to define filters via subsearch.

For writing optimum searches, all the filters should be moved to the right (as close to base search) if possible. The simple query you wrote is doing lot of eval calculations for all the rows and then applying filter, whereas the subsearch will just get evaluation once (before the base search) and its return values (which will be "date_mday=value") is replaced in base search, providing optimum filtering.

In your search, I believe you're missing the conversion of "day" to number, (date_mday is number), as day is output of strftime command which will be string.

Re: How do I search using an evaluated numeric field

arungeorge09 — Mon, 28 Sep 2020 18:37:46 GMT

Nope its not working . Do you know why. I need this for some other requirement.