Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having issues with latest and earliest time in search

srinivas_gowda
Path Finder
‎05-18-2021 12:03 AM

Hello all,

 

I am trying to run the below query and when I change the earliest to last 7 days I am getting the below error. However, it is running fine if I add -30d for earliest search.

`acn_patchmanagement_macro_serverdetails_t1_001`
|where NOT IN (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
|lookup acn_patchmanagement_lookup_server-details_001 Server OUTPUT OS_Type OS_SubType
| eval OS_Type=if(isnull(OS_Type), "NA", OS_Type)
| eval OS_SubType=if(isnull(OS_SubType), "NA", OS_SubType)
|append [| inputlookup acn_patchmanagement_lookup_server-details_001.csv ]
|fields Last_Patched_Date ChangeNo Server OS_Type OS_SubType Overall_Status

 Below is the error:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ') ) '.

 

Please let me know the solution for this.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-18-2021 12:15 AM

Hi @srinivas_gowda 

yes, make sense

Try this

|search NOT (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2021 12:18 AM

Try return $Server at the end of the subsearch

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-18-2021 12:10 AM

Hi @srinivas_gowda 

try to change where with search

|search NOT IN (Server,[|search earliest=-7d latest=now()
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

srinivas_gowda
Path Finder
‎05-18-2021 12:13 AM

Hello, Thank you for your response.

I tried and now facing the issue with the NOT IN. Below is the error.

 

Error in 'search' command: Unable to parse the search: Comparator 'IN' has an invalid term on the left hand side: NOT.

0 Karma
Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-18-2021 12:15 AM

Hi @srinivas_gowda 

yes, make sense

Try this

|search NOT (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

srinivas_gowda
Path Finder
‎05-18-2021 12:17 AM

This worked. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...