Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a complex WHERE condition?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-26-2018
09:20 AM
Hi
I have to create a complex SPL command (for me ;-))
In this command, I want to search a specific word which start by W10P02xx in a log file and with a date which is previous to month -2 (26 January for today)
I think we have to use a WHERE condition but after???
Is it possible ith SPL command?
Thanks a lot
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-26-2018
09:25 AM
Hey
The first part you can you where yourfield like W10P02xx%
The month part, you create a variable last_time with the function relative_time and get 2 months backwards. Then use it to filter your results with an AND
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-26-2018
09:59 AM
thanks tiago you are champion 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-26-2018
10:00 AM
Please don't forget to accept and upvote the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-26-2018
09:43 AM
Yoursearch| eval time_threshold=relative_time(now(), "-2M@d") | where yourfield like "W10P02xx%" AND _time>time_threshold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-26-2018
10:09 AM
You accepted your own answer. Please unaccept yours and accept my answer to the question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-26-2018
09:39 AM
thanks tiago but im not sure to succeed ...........
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-26-2018
09:25 AM
Hey
The first part you can you where yourfield like W10P02xx%
The month part, you create a variable last_time with the function relative_time and get 2 months backwards. Then use it to filter your results with an AND
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
