Solved: How can i search for two concatenated strings?

antonio147 · ‎03-25-2021

I need to search for a string composed of the month - year in Italian.
Example: "March-2021"
If I enter "March-2021" in the search, everything works but if I put the eval variable (month year) or the strcat variable (completo), it doesn't work.

I have :

|eval anno = strftime(_time,"%Y")
| eval mesi=strftime(_time,"%m")
| eval mese=case(
mesi="01","Gennaio-",
mesi="02","Febbraio-",
mesi="03","Marzo-",
mesi="04","Aprile-",
mesi="05","Maggio-",
mesi="06","giugno-",
mesi="07","Luglio-",
mesi="08","Agosto-",
mesi="09","Settembre-",
mesi="10","Ottobre-",
mesi="11","Novembre",
mesi="12","Dicembre-",
1=1, "INV")
|eval meseanno= mese.anno
|strcat mese anno completo
|search AMBITO = meseanno

so it doesn't work

if I use |search AMBITO = "March-2021" works

Can you help me understand how to look for a chained string?
Tks
Bye
Antonio

ITWhisperer · ‎03-25-2021

Try

|where AMBITO = meseanno

View solution in original post

ITWhisperer · ‎03-25-2021

Try

|where AMBITO = meseanno

antonio147 · ‎03-25-2021

Thank you so much !!!!
but why didn't it work with search?

ITWhisperer · ‎03-25-2021

Basically, search works with strings, where works with fields.

antonio147 · ‎03-25-2021

Ah OK,
thanks for the explanation 🙂
But if two strings are concatenated, I expected search to work the same.
I expected search to work with string1.string2
I understand better the dynamics of splunk and how it works.
Thank you again.

How can i search for two concatenated strings?

eval

search job inspector

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

Are you a member of the Splunk Community?