Splunk Search

How to filter a list of timestamps less than _time

weidertc
Communicator

I need to filter a list of timestamps which are less than _time.

this works:

| makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval older = mvfilter(timestamps < 1570000010)

 

but the compared value is whatever is in _time.  this does not work:

| makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval _time = 1570000010
| eval older = mvfilter(timestamps < _time)

 

I know timestamps work, because this does work:

| makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval older = mvfilter(timestamps < now())

 

Why does now() and static values work, but this does not:

| makeresults count=1
| eval timestamps = mvappend("1570000000", "1570000020")
| eval now_time = now()
| eval older = mvfilter(timestamps < now_time)

 

How can i get a variable in there to compare, since i need to compare the list to _time?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

mvfilter can only reference one field at a time

Description

This function filters a multivalue field based on an arbitrary Boolean expression. The Boolean expression can reference ONLY ONE field at a time.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvfilter...

Try like this:

| makeresults count=1
| eval timestamps = mvappend("1700000000", "1800000020")
| foreach mode=multivalue timestamps
    [| eval older=if(<<ITEM>> < _time, mvappend(older,<<ITEM>>),older)]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

mvfilter can only reference one field at a time

Description

This function filters a multivalue field based on an arbitrary Boolean expression. The Boolean expression can reference ONLY ONE field at a time.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvfilter...

Try like this:

| makeresults count=1
| eval timestamps = mvappend("1700000000", "1800000020")
| foreach mode=multivalue timestamps
    [| eval older=if(<<ITEM>> < _time, mvappend(older,<<ITEM>>),older)]

weidertc
Communicator

whoa! i didn't know about mode=multivalue.  thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried using single quotes to tell eval you're referring to a field name?

| eval older = mvfilter(timestamps < '_time')

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...