https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199734#M57854 <P>Everyone should have such a list <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 27 Mar 2014 11:42:51 GMT martin_mueller 2014-03-27T11:42:51Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199730#M57850 <P>Hi<BR /> I have a search string like <BR /> host=ABC "Sales Month"="March"|.....<BR /> Instead of hard coding the month March can I make it dynamic. <BR /> I tried like host=ABC "Sales Month"== strftime(now(),"%B").<BR /> But it seems not working.Can anybody help.</P> Thu, 27 Mar 2014 07:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199730#M57850 SplunkBaby 2014-03-27T07:35:28Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199731#M57851 <P>Hi SplunkBaby,</P> <P>try something like this:</P> <PRE><CODE>host=ABC | eval Sales_Month=strftime(now(), "%B") | ... </CODE></PRE> <P>this will return the field <CODE>Sales_Month</CODE> as march as of today 03/27/2014.<BR /> Yes, the field name <CODE>Sales_Month</CODE> and <CODE>"Sales Month"</CODE> are the same, because Splunk tends to replace spaces in field names with a <CODE>_</CODE> .</P> <P>hope this helps and thanks for voting <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>cheers, MuS</P> Thu, 27 Mar 2014 07:50:46 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199731#M57851 MuS 2014-03-27T07:50:46Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199732#M57852 <P>For filtering in the initial search I highly recommend computing the value using an eval-based macro like so:</P> <PRE><CODE>[current_month_name] definition = strftime(time(), "%B") iseval = 1 </CODE></PRE> <P>Your search then becomes this:</P> <PRE><CODE>host=ABC Sales_Month=`current_month_name` </CODE></PRE> <P>And Splunk can use its index appropriately, and avoids loading events that don't have that month value.</P> Thu, 27 Mar 2014 08:11:04 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199732#M57852 martin_mueller 2014-03-27T08:11:04Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199733#M57853 <P>this is really a nice approach! have to write it down on the ThingsICanDoBetterNextTime List <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 27 Mar 2014 08:54:40 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199733#M57853 MuS 2014-03-27T08:54:40Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199734#M57854 <P>Everyone should have such a list <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 27 Mar 2014 11:42:51 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199734#M57854 martin_mueller 2014-03-27T11:42:51Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199735#M57855 <P>Thanks a a lot.This is new learning to me and I solved my problem.</P> Thu, 27 Mar 2014 13:08:30 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199735#M57855 SplunkBaby 2014-03-27T13:08:30Z https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199736#M57856 <P>Thanks for the support.</P> Thu, 27 Mar 2014 13:09:24 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-in-search/m-p/199736#M57856 SplunkBaby 2014-03-27T13:09:24Z