Splunk Search

Having issues with latest and earliest time in search

srinivas_gowda
Path Finder

Hello all,

 

I am trying to run the below query and when I change the earliest to last 7 days I am getting the below error. However, it is running fine if I add -30d for earliest search.

`acn_patchmanagement_macro_serverdetails_t1_001`
|where NOT IN (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
|lookup acn_patchmanagement_lookup_server-details_001 Server OUTPUT OS_Type OS_SubType
| eval OS_Type=if(isnull(OS_Type), "NA", OS_Type)
| eval OS_SubType=if(isnull(OS_SubType), "NA", OS_SubType)
|append [| inputlookup acn_patchmanagement_lookup_server-details_001.csv ]
|fields Last_Patched_Date ChangeNo Server OS_Type OS_SubType Overall_Status

 Below is the error:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ') ) '.

 

Please let me know the solution for this.

Labels (4)
0 Karma
1 Solution

aasabatini
Motivator

Hi @srinivas_gowda 

yes, make sense

Try this

|search NOT (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try return $Server at the end of the subsearch

0 Karma

aasabatini
Motivator

Hi @srinivas_gowda 

try to change where with search

|search NOT IN (Server,[|search earliest=-7d latest=now()
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

srinivas_gowda
Path Finder

Hello, Thank you for your response.

I tried and now facing the issue with the NOT IN. Below is the error.

 

Error in 'search' command: Unable to parse the search: Comparator 'IN' has an invalid term on the left hand side: NOT.

0 Karma

aasabatini
Motivator

Hi @srinivas_gowda 

yes, make sense

Try this

|search NOT (Server,[|search earliest=-7d latest=now() `acn_patchmanagement_macro_serverdetails_t1_001` |stats count(Server) by Server|table Server])
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

srinivas_gowda
Path Finder

This worked. Thank you.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...