Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to log date when report/query adds new values?

PTC_
Explorer
‎03-07-2023 09:01 AM

I have created a Report with a Query that updates a list of NAMES on CSV file.
If the NAMES field have empty strings or null values, the Query will try to get the NAME from another field and add it to NAMES. Something like this:

NAMES ADDED_ON_INDEX REPORT_UPDATE_DATE
Sara 01/03/2023 00:00:00 06/03/2023 17:28:17
John 01/02/2023 00:00:00 06/03/2023 17:28:17
Peter 01/01/2023 00:00:00 06/03/2023 17:28:17
     
Oliver 01/03/2023 00:00:00 06/03/2023 17:28:17

 

I want to achieve the following:

NAMES ADDED_ON_INDEX REPORT_UPDATE_DATE
Sara 01/03/2023 00:00:00 06/03/2023 17:28:17
John 01/02/2023 00:00:00 06/03/2023 17:28:17
Peter 01/01/2023 00:00:00 06/03/2023 17:28:17
Matt 22/01/2023 00:00:00 07/03/2023 18:33:09
Oliver 01/03/2023 00:00:00 06/03/2023 17:28:17

 

I want the Report to register the date ONLY when new values date and to NOT replace current dates, so I can keep track of when the NAMES were added by the Report.

I tried the following line but it doesn't do what I want. It always replace with the time the Report ran:

| eval Report_Update = strftime(now(),"%d/%m/%Y %H:%M:%S")

And "_time" gives me the date of when it was added to the index.

Is there a specific way to register this info?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2023 09:36 AM

To set a field only when it's null, use the coalesce command.

| eval Report_Update = coalesce(Report_Update, strftime(now(),"%d/%m/%Y %H:%M:%S"))

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2023 09:36 AM

To set a field only when it's null, use the coalesce command.

| eval Report_Update = coalesce(Report_Update, strftime(now(),"%d/%m/%Y %H:%M:%S"))

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PTC_
Explorer
‎03-08-2023 02:34 AM

Is not updating the null fields with this command.
Any idea of what I could be doing wrong?

0 Karma
Reply
Solved! Jump to solution

PTC_
Explorer
‎03-08-2023 09:07 AM

I did the inverse and it worked for my case:

| eval Report_Update = coalesce(strftime(now(),"%d/%m/%Y %H:%M:%S"),Report_Update)

 

Thank you!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2023 05:53 AM

It's possible the fields are not really null so coalesce doesn't touch them.

Can you share the full query and some sample data for it?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...