Getting Data In

How to export results from makeresult in query body ?

malear_ion
New Member

For example I have this query:

index=en_amp_api 
    [ | makeresults 
    | eval time = relative_time(now(),"-h@w1") 
    | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
    | eval earliest=strptime(format,"%m/%d/%Y") 
    | eval latest=relative_time(earliest,"+24h@h") 
| table earliest latest ]
| table earliest, latest
| ....

I see values of earliest and latest with table only [ ... ], but I can not see values after closing brackets !

I wont to see the value after closing brackets ! How is that possible?

Tags (1)
0 Karma

jitendragupta
Path Finder

As per my understanding, u want to generate earliest and latest epochs from makeresult query and want to pass it to your index query.
Please try this code:

| makeresults 
     | eval time = relative_time(now(),"-h@w1") 
     | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
     | eval earliest=strptime(format,"%m/%d/%Y") 
     | eval latest=relative_time(earliest,"+24h@h") | table earliest latest 
     | map maxsearches=1000 search="search index=en_amp_api earliest=$earliest$ latest=$latest$ | table <list of fields> "

Let me know if it work.

0 Karma

malear_ion
New Member

Unfortunately, the proposed solution does not work

0 Karma

jitendragupta
Path Finder

What is the error you are getting? Please provide some screenshot.

0 Karma

malear_ion
New Member

I have different case:

| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.

I try something this to do earliest and latest as variables:

| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest = strptime(format,"%m/%d/%Y")
| eval latest = relative_time(earliest,"+24h@h")
| eval format_earliest = strftime(earliest,"%m/%d/%Y %H:%M:%S")
| eval format_latest = strftime(latest,"%m/%d/%Y %H:%M:%S")
| table format_earliest format_latest

0 Karma

malear_ion
New Member

Unfortunately, the proposed solution does not work ...
I have different case:

| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

0 Karma

malear_ion
New Member

I have different case:

  | eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month") 
    | eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month") 

Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2

because the search work only on first case.
That's why I try something this to do earliest and latest as variables.

0 Karma

woodcock
Esteemed Legend

To answer your question, see here:
https://answers.splunk.com/answers/689333/earliest-is-the-maxtimestamp-from-an-inputlookup.html
But that is overkill, just do this:

index=en_amp_api earliest=-h@w1 latest=-h@w1+24h@h
0 Karma

malear_ion
New Member

I need to change values: earliest and latest in different cases, so I can not set the search parameters after the index .
I need to change by setting the higher or lower value, search for different cases runs at the time indicated by earliest and latest.

0 Karma

woodcock
Esteemed Legend

Give us TWO FULL examples of what you are trying to do starting with the raw event data and ending with a mockup of the final results, with detailed pseudocode descriptions of the steps required. I have no idea what you mean by this comment. It very much seems like you are going about this completely the wrong way.

0 Karma

woodcock
Esteemed Legend

What is it with pictures lately? I wish answers would disable that. We need your raw text so that we can work with it.

0 Karma

malear_ion
New Member

Sorry, I understand
I will make changes !

0 Karma

Vijeta
Influencer

@malear_ion Do you have any earliest and latest field in your index en_amp_api ?

0 Karma

malear_ion
New Member

No, is a replacement of search parameters

0 Karma

malear_ion
New Member

For example :

index=en_amp_api earliest=@w1 latest=@w2 | table hostname, last_seen

It's the same !

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...