Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with search of evaluated field

rodrigomarfei
Explorer
‎09-29-2021 09:25 AM

Hello,

I need a help with a search that seems very easy, but I'm unable to achieve the results I want.

The events are recieved in diferrent days, but no more than 3 days and the date is in the field event.Date.

The date format is "yyyy-mm-ddT00:00:00".

What I need is to search for all the events within the 3 days and then filter by the date.

So i've tried the following search:

index=something daysago=3
| eval dayOfSearch = strftime(relative(now(), "-2d@d"), "%Y-%m-%dT%H:%M:%S")
| search event.Date = dayOfSearch


It does not result to what I was expecting, but if I run the search replacing the variable dayOfsearch with the actual date, like "2021-09-05T00:00:00" it works.

What am I doing wrong or is that I better way to achieve this results?

 

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-29-2021 03:05 PM

Try something like this. Need to use "where" command if you're condition references other fields instead of static values. Also, since field name contains dot/special character, it needs to be enclosed in single quotes in where/eval.

index=something daysago=3
| eval dayOfSearch = strftime(relative(now(), "-2d@d"), "%Y-%m-%dT%H:%M:%S")
| where 'event.Date' = dayOfSearch

  

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-29-2021 03:05 PM

Try something like this. Need to use "where" command if you're condition references other fields instead of static values. Also, since field name contains dot/special character, it needs to be enclosed in single quotes in where/eval.

index=something daysago=3
| eval dayOfSearch = strftime(relative(now(), "-2d@d"), "%Y-%m-%dT%H:%M:%S")
| where 'event.Date' = dayOfSearch

  

Reply
Solved! Jump to solution

rodrigomarfei
Explorer
‎09-30-2021 05:15 AM

That's it. Single quotes and where.

 

Thank you!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2021 02:47 PM

Try 

| where event.Date = dayOfSearch
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top