Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to log date when report/query adds new values?

PTC_
Explorer
‎03-07-2023 09:01 AM

I have created a Report with a Query that updates a list of NAMES on CSV file.
If the NAMES field have empty strings or null values, the Query will try to get the NAME from another field and add it to NAMES. Something like this:

NAMES ADDED_ON_INDEX REPORT_UPDATE_DATE
Sara 01/03/2023 00:00:00 06/03/2023 17:28:17
John 01/02/2023 00:00:00 06/03/2023 17:28:17
Peter 01/01/2023 00:00:00 06/03/2023 17:28:17
     
Oliver 01/03/2023 00:00:00 06/03/2023 17:28:17

 

I want to achieve the following:

NAMES ADDED_ON_INDEX REPORT_UPDATE_DATE
Sara 01/03/2023 00:00:00 06/03/2023 17:28:17
John 01/02/2023 00:00:00 06/03/2023 17:28:17
Peter 01/01/2023 00:00:00 06/03/2023 17:28:17
Matt 22/01/2023 00:00:00 07/03/2023 18:33:09
Oliver 01/03/2023 00:00:00 06/03/2023 17:28:17

 

I want the Report to register the date ONLY when new values date and to NOT replace current dates, so I can keep track of when the NAMES were added by the Report.

I tried the following line but it doesn't do what I want. It always replace with the time the Report ran:

| eval Report_Update = strftime(now(),"%d/%m/%Y %H:%M:%S")

And "_time" gives me the date of when it was added to the index.

Is there a specific way to register this info?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2023 09:36 AM

To set a field only when it's null, use the coalesce command.

| eval Report_Update = coalesce(Report_Update, strftime(now(),"%d/%m/%Y %H:%M:%S"))

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2023 09:36 AM

To set a field only when it's null, use the coalesce command.

| eval Report_Update = coalesce(Report_Update, strftime(now(),"%d/%m/%Y %H:%M:%S"))

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PTC_
Explorer
‎03-08-2023 02:34 AM

Is not updating the null fields with this command.
Any idea of what I could be doing wrong?

0 Karma
Reply
Solved! Jump to solution

PTC_
Explorer
‎03-08-2023 09:07 AM

I did the inverse and it worked for my case:

| eval Report_Update = coalesce(strftime(now(),"%d/%m/%Y %H:%M:%S"),Report_Update)

 

Thank you!

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2023 05:53 AM

It's possible the fields are not really null so coalesce doesn't touch them.

Can you share the full query and some sample data for it?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...