Solved: Filtering in search.

SplunkBaby · ‎03-27-2014

Hi
I have a search string like
host=ABC "Sales Month"="March"|.....
Instead of hard coding the month March can I make it dynamic.
I tried like host=ABC "Sales Month"== strftime(now(),"%B").
But it seems not working.Can anybody help.

martin_mueller · ‎03-27-2014

For filtering in the initial search I highly recommend computing the value using an eval-based macro like so:

[current_month_name]
definition = strftime(time(), "%B")
iseval = 1

Your search then becomes this:

host=ABC Sales_Month=`current_month_name`

And Splunk can use its index appropriately, and avoids loading events that don't have that month value.

View solution in original post

martin_mueller · ‎03-27-2014

For filtering in the initial search I highly recommend computing the value using an eval-based macro like so:

[current_month_name]
definition = strftime(time(), "%B")
iseval = 1

Your search then becomes this:

host=ABC Sales_Month=`current_month_name`

And Splunk can use its index appropriately, and avoids loading events that don't have that month value.

SplunkBaby · ‎03-27-2014

Thanks a a lot.This is new learning to me and I solved my problem.

martin_mueller · ‎03-27-2014

Everyone should have such a list 😄

MuS · ‎03-27-2014

this is really a nice approach! have to write it down on the ThingsICanDoBetterNextTime List 😉

MuS · ‎03-27-2014

Hi SplunkBaby,

try something like this:

host=ABC | eval Sales_Month=strftime(now(), "%B") | ...

this will return the field Sales_Month as march as of today 03/27/2014.
Yes, the field name Sales_Month and "Sales Month" are the same, because Splunk tends to replace spaces in field names with a _ .

hope this helps and thanks for voting 😉

cheers, MuS

SplunkBaby · ‎03-27-2014

Thanks for the support.

Filtering in search.

Upcoming Community Maintenance: 10/28

Best Practices for Metrics Pipeline Management

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...