Conditional Search String based on Time

syk19567 · ‎06-10-2024

Hi community,

I need to write a query which can adjust its search string based on event time. For example, if the event time is before 2024/01/01, events should include string "A" OR "B";

index="aws" sourcetype="dev" ("A" OR "B")

Else, events should include string "C" OR "D".

index="aws" sourcetype="dev" ("C" OR "D")

I have written this to get the search string, but have no idea how to make use of it.

index="aws" sourcetype="dev"
| eval search_string=if(_time < strptime("2024-01-01", "%Y-%m-%d"), "(\"A\" OR \"B\")", "(\"C\" OR \"D\")")
| search search_string

I've got a lot of help here, and really appreciate it!

KendallW · ‎06-10-2024

Hi @syk19567 would something like this work? (Replace timestamps with epoch time)

index="aws" sourcetype="dev" (earliest=-1y latest="2023/12/31 23:59:59" "A" OR "B") OR (earliest="2024/01/01 00:00:00" latest=now "C" OR "D")

bowesmana · ‎06-10-2024

Couple of minor edits - latest is exclusive and format should be MM/DD/YYYY:HH:MM:SS, so it would be

index="aws" sourcetype="dev" (earliest=-1y latest="01/01/2024:00:00:00" "A" OR "B") OR (earliest="01/01/2024:00:00:00" latest=now "C" OR "D")

Conditional Search String based on Time

eval

join

subsearch

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Join the Conversation

Conditional Search String based on Time

eval

join

subsearch

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education