Solved: How to compare using eval expression and field val...

k_harini · ‎10-20-2016

I want the table to be generated based on 2 conditions - one condition is comparing eval expression and other field value pair.. how to do that
index="myindex" |eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category | where (now_time>=Due_Date_Time) AND ('System Status'!="Completed")

This where clause is not working.. please help

inventsekar · ‎10-20-2016

i dont have logs to test this, can you check this once -

index="myindex" |eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category | where (now_time>=Due_Date_Time) | search 'System Status'!="Completed"

or even, you can try checking the System Status at first stage itself -

index="myindex" 'System Status'!="Completed" |eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category | where (now_time>=Due_Date_Time)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

javiergn · ‎10-20-2016

I can see two issues:

1) Your "|table ID,Category" is getting rid of some fields you are using later on such as now_time, System Status or Due_Date_Time.
2) I think this part is also going to cause you a headache as you are not comparing integers with integers, just strings with strings:

 where (now_time>=Due_Date_Time)

Can you try this instead?

index="myindex" 
|eval Due_Date_Epoch = strptime('Due By',"%d.%m.%Y")
|table ID, Category, Due_Date_Epoch, 'System Status'
| where (now() >= Due_Date_Epoch) AND ('System Status'!="Completed")

Thanks,
J

k_harini · ‎10-20-2016

Thanks for your reply. This is also not working..

inventsekar · ‎10-20-2016

i dont have logs to test this, can you check this once -

index="myindex" |eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category | where (now_time>=Due_Date_Time) | search 'System Status'!="Completed"

or even, you can try checking the System Status at first stage itself -

index="myindex" 'System Status'!="Completed" |eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category | where (now_time>=Due_Date_Time)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

k_harini · ‎10-20-2016

Thanks for your reply.. both are not working

second one works till here.. where clause time condition not working 😞
index="myindex" "System Status"!="Completed"|eval Due_Date_Time = strftime(strptime('Due By',"%d.%m.%Y"),"%d.%m.%Y")|eval now_time=strftime(now(),"%d.%m.%Y")|table ID,Category

inventsekar · ‎10-20-2016

 index="myindex" 'System Status'!="Completed"
  |eval Due_Date = strptime('Due By',"%d.%m.%Y") 
  | where (now() >= Due_Date)
  |table ID, Category

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

k_harini · ‎10-20-2016

It worked the way i wanted.. Thank you so much..

How to compare using eval expression and field value pair

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Are you a member of the Splunk Community?

How to compare using eval expression and field value pair

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility