Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a date to a string Message

griffinpair
Path Finder
‎08-20-2018 01:15 PM

I am trying to create an error message based on a time frame, the last 15 min. and now. So the error message would say,

"Client Missed file between 15:15:00 - 15:30:00"

The times are calculated at the time of the search and the following search below fails as "Error in 'eval' command: Typechecking failed. '+' only takes two strings or two numbers."

| eval 15MinEarly=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S")
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + 15MinEarly + " - " Now

How do you convert the two times to string so I can concatenate them into the error message?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 07:57 AM

@griffinpair,

Is it ok for you to change the variable name from 15MinEarly to MinEarly_15? Also change your search to add + to the last "Now"

| eval MinEarly_15=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S") 
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + MinEarly_15 + " - " + Now

Looks like splunk is bit confused to see the variables starting with digits 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 07:57 AM

@griffinpair,

Is it ok for you to change the variable name from 15MinEarly to MinEarly_15? Also change your search to add + to the last "Now"

| eval MinEarly_15=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S") 
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + MinEarly_15 + " - " + Now

Looks like splunk is bit confused to see the variables starting with digits 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-21-2018 08:03 AM

That was exactly the problem. Thanks so much!

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎08-20-2018 01:22 PM

Use . for concatenation of strings

| eval 15MinEarly=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S") 
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " .15MinEarly ." - ".Now
0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-21-2018 06:53 AM

I got the following error:

⚠ Error in 'eval' command: The expression is malformed.

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎08-21-2018 07:04 AM

are your fields 15MinEarly and Now working? try 

| table 15MinEarly Now

0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-21-2018 07:36 AM

Yes. Both fields return expected values.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...