topic Re: How to set value for earliest and latest? in Splunk Search

How to set value for earliest and latest?

avaishsplunk — Sun, 25 Dec 2016 22:25:10 GMT

Unable to set value for earliest and latest, I am getting errors. Below is my search query.

eval earliest=if(strftime(now(),"%A")=="Monday","-3d@d","-1d@d") eval latest=if(strftime(now(),"%A")<>"Monday", "-3d@s","1d@s") index=XXX sourcetype=YYY |search "XXYZ"
               |spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
               |             spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
               |             spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
               | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
               |             spath output=OCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
               |             spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
               |             spath output=CCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
               |             eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),OC),TimeZone),CC)
               |             mvexpand combined|eval combined=split(combined,",")|             eval  OpName=mvindex(combined,0)
               |             eval  EvType=mvindex(combined,1)
               |             eval state=mvindex(combined,2)
               |                                            eval Line_Count=mvindex(combined,3)
               |             eval OC=mvindex(combined,4)
               | eval TimeZone =mvindex(combined,5)
               |             eval CC=mvindex(combined,6)
               |where OpName="Total Reservations Count"

Re: How to set value for earliest and latest?

richgalloway — Sun, 25 Dec 2016 23:27:44 GMT

What errors are you getting?

Re: How to set value for earliest and latest?

avaishsplunk — Sun, 25 Dec 2016 23:41:30 GMT

Hello Rich,

Thanks for the reply,I was getting expression is malformed error after eval earliest, i got this fixed, below is my updated search query:

[| gentimes start=-1 
 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d", "-1d@d") 
 | eval latest=if(lower(strftime(now(),"%A"))="monday","-3d@s", "-1d@s")
 | table earliest, latest | format "" "" "" "" "" ""]  index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=ccpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),cc)
 | mvexpand combined|eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"|append
 [search earliest=@d   index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),CDC_RDC)
 | mvexpand combined
 | eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"]
 | bucket _time span=1d
 | stats sum(Line_Count) AS Requests by _time

Re: How to set value for earliest and latest?

avaishsplunk — Mon, 26 Dec 2016 06:05:46 GMT

I got the issue fixed, thanks for looking into this Rich!

Re: How to set value for earliest and latest?

avaishsplunk — Mon, 26 Dec 2016 06:06:35 GMT

The issue was with a missing comma " ' " in my query

Re: How to set value for earliest and latest?

niketn — Tue, 29 Sep 2020 12:12:56 GMT

Kindly update your question with your query which needs assistance...

You eval expressions are missing comma before default case 1==1 expression.
Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:

[| gentimes start=-1
| eval earliest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
$SearchOption$ == "Last_Week_Same_Day_Time","-7d@d",
$SearchOption$ == "Last_Working_Day","-1d@d")
| eval latest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday","-3d@s",
$SearchOption$=="Last_Week_Same_Day_Time","-7d@s",
$SearchOption$=="Last_Working_Day","-1d@s")
| table earliest, latest
| format "" "" "" "" "" ""]

Re: How to set value for earliest and latest?

niketn — Mon, 26 Dec 2016 12:48:14 GMT

Kindly accept if this answer has helped you fix the issue.