Solved: How can i search for two concatenated strings?

antonio147 · ‎03-25-2021

I need to search for a string composed of the month - year in Italian.
Example: "March-2021"
If I enter "March-2021" in the search, everything works but if I put the eval variable (month year) or the strcat variable (completo), it doesn't work.

I have :

|eval anno = strftime(_time,"%Y")
| eval mesi=strftime(_time,"%m")
| eval mese=case(
mesi="01","Gennaio-",
mesi="02","Febbraio-",
mesi="03","Marzo-",
mesi="04","Aprile-",
mesi="05","Maggio-",
mesi="06","giugno-",
mesi="07","Luglio-",
mesi="08","Agosto-",
mesi="09","Settembre-",
mesi="10","Ottobre-",
mesi="11","Novembre",
mesi="12","Dicembre-",
1=1, "INV")
|eval meseanno= mese.anno
|strcat mese anno completo
|search AMBITO = meseanno

so it doesn't work

if I use |search AMBITO = "March-2021" works

Can you help me understand how to look for a chained string?
Tks
Bye
Antonio

ITWhisperer · ‎03-25-2021

Try

|where AMBITO = meseanno

View solution in original post

ITWhisperer · ‎03-25-2021

Try

|where AMBITO = meseanno

antonio147 · ‎03-25-2021

Thank you so much !!!!
but why didn't it work with search?

ITWhisperer · ‎03-25-2021

Basically, search works with strings, where works with fields.

antonio147 · ‎03-25-2021

Ah OK,
thanks for the explanation 🙂
But if two strings are concatenated, I expected search to work the same.
I expected search to work with string1.string2
I understand better the dynamics of splunk and how it works.
Thank you again.

How can i search for two concatenated strings?

eval

search job inspector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation