Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why isn't this eval'd field available?

LordVoldemort
Explorer
‎08-02-2012 01:37 PM

I've got a query like this:

sourcetype=blahdeblah earliest=... latest=...
| stats ....
| join ..[ search ... | more stats ... ]
| eval date_numericmonth=strftime(_time,"%m")
| sort date_year desc, date_numericmonth desc, date_mday asc
| table fields .... date_year, date_month, date_mday, date_numericmonth

Why is date_numericmonth empty in the resulting table? The sorting works as you would expect, and date_month shows up in the table just fine, so the date_numericmonth has a meaningful value, but for some reason I can't get it to show up in the results.

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2012 02:20 PM

What fields are in the stats commands? Note that if _time is not a field output from stats, then the eval will yield a null. Also note that the date_* fields are basically independent of the _time field (and in fact may not be the same, since _time is UTC, while date_* is event text time) so even if they're there, time may not be.

0 Karma
Reply

LordVoldemort
Explorer
‎08-02-2012 03:37 PM

The sorting is a bit complicated, look at the asc, and desc's. Mostly though, I want to use the date_numericmonth in the splunk results and I can't if it isn't being returned.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2012 02:29 PM

I guess I don't see why you wouldn't just | sort - _time instead.

0 Karma
Reply

LordVoldemort
Explorer
‎08-02-2012 02:26 PM

The stats is using the date_x fields, but the thing that confuses me is that the date_numericmonth is working for the sort command. I didn't realize that _time was necessary in UTC though. It seems like I might be better off extracting all of my date fields through evals()s, and if I understand correctly, all I need to do to make sure I can return all of them is aggregate by them in the stats command.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...