Solved: How to create a complex WHERE condition?

jip31 · ‎03-26-2018

Hi

I have to create a complex SPL command (for me ;-))
In this command, I want to search a specific word which start by W10P02xx in a log file and with a date which is previous to month -2 (26 January for today)
I think we have to use a WHERE condition but after???
Is it possible ith SPL command?
Thanks a lot

tiagofbmm · ‎03-26-2018

Hey

The first part you can you where yourfield like W10P02xx%

The month part, you create a variable last_time with the function relative_time and get 2 months backwards. Then use it to filter your results with an AND

View solution in original post

jip31 · ‎03-26-2018

thanks tiago you are champion 😉

tiagofbmm · ‎03-26-2018

Please don't forget to accept and upvote the answer

tiagofbmm · ‎03-26-2018

Yoursearch| eval time_threshold=relative_time(now(), "-2M@d") | where yourfield like "W10P02xx%" AND _time>time_threshold

tiagofbmm · ‎03-26-2018

You accepted your own answer. Please unaccept yours and accept my answer to the question

jip31 · ‎03-26-2018

thanks tiago but im not sure to succeed ...........

tiagofbmm · ‎03-26-2018

Hey

The first part you can you where yourfield like W10P02xx%

The month part, you create a variable last_time with the function relative_time and get 2 months backwards. Then use it to filter your results with an AND

How to create a complex WHERE condition?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies