Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search with where to filter based on wildcard variable

splunkreal
Influencer
‎01-19-2018 09:09 AM

Could you let me know why the results are not filtered (I hidden sensible data) with | where NOT like (source, "%stimeyesterday%")

![alt text][1]

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE (index=* AND ...) by host source sourcetype | eval lastevent=strftime(latest, "%Y-%m-%d %H:%M") | eval firstevent=strftime(earliest, "%Y-%m-%d %H:%M")
... | eval timeYesterday=round(relative_time(now(), "-1d@d"))| eval stimeyesterday=strftime(timeYesterday, "%Y-%m-%d") | eval timeRelative=round(relative_time(now(), "@d")) | where latest < timeRelative | eval resultat=if(latest < timeRelative,"KO","OK") | eval stimerel=strftime(timeRelative, "%Y-%m-%d %H:%M") | sort host | fields - latest earliest timeRelative timeYesterdayss | where NOT like(source,"%stimeyesterday%")

* If this helps, please upvote or accept solution if it solved *
Preview file
54 KB
0 Karma
Reply

dstoev
Path Finder
‎12-02-2021 07:04 AM

Hey @splunkreal , thank you for sharing this, it's quite useful!
I have similar eval command:

... | eval year_month=strftime(_time,"%Y-%m")."%" | where like(access_key_1_last_used_date, year_month) OR like(access_key_2_last_used_date, year_month)


which is setting year_month  to the following format YYYY-MM, e.g. 2021-12 and then search it in access_key_{1,2}_last_used_date fieldswhich have the following format 2021-11-20T00:35:38+00:00

So this is working just fine (thanks to the wildcard "%"), but if I ONLY change now() to _time it is not working.  If I simplify the search to:


...| eval year_month=strftime(now(),"%Y-%m")."%" | table year_month

Both results in the same:

splunk_query_year_month.png

Any ideas?

0 Karma
Reply

splunkreal
Influencer
‎01-22-2018 03:28 AM

Solved by support :

| where NOT like(source,stimeyesterday)
So, in your query, you can use something like, to add the %% around the filter string beforehand:
| eval stimeyesterday="%".strftime(timeYesterday, "%Y-%m-%d")."%"

* If this helps, please upvote or accept solution if it solved *
Reply

mayurr98
Super Champion
‎01-19-2018 09:45 AM

hey @realsplunk, I do not know what you are trying to achieve you want to filter out source which has stimeyesterday keyword? then

instead of | where NOT like(source,"%stimeyesterday%") use | search NOT source=*stimeyesterday*

let me know if this helps!

0 Karma
Reply

splunkreal
Influencer
‎01-22-2018 01:39 AM

No, 2018-01-21 logs still there 😞

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

mayurr98
Super Champion
‎01-22-2018 01:44 AM

which is the field that contains date? if you have a value in source field then only you can apply this query.
This works vertically not horizontally. pls, explain what table you got and what do you want to exclude.

0 Karma
Reply

splunkreal
Influencer
‎01-22-2018 03:00 AM

see attachment here : https://answers.splunk.com/storage/attachments/226762-search.png thanks

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...