Re: How to pass current year and month to search q...

splunkNewbie007 · ‎06-26-2023

Hi Team,

I am trying to write a search query where it will find the existing filename is present in the logs or not.

Here is my static query looks like

index="xyz" fileName="this.is.my.file.received.on.202306.test.json"

The below is the query i tried to pass the dynamic part into the filename but couldn't

index="xyz" fileName="this.is.my.file.received.on.{yourtime}.test.json" | eval yourtime = strftime(_time, "%Y-%m")

My questiions:

1. How can pass the dynamic part into the query ?
2. Can i use the same search query logic for creating a dashboard too ?

Any help is appreciated.

Thanks

splunkNewbie007 · ‎06-26-2023

Thanks @fredclown @isoutamo for your suggestions. But the suggestions not worked me. There are few things i forgot to mention in the question. They are
1) the fileName field is a nested field
2) The scenario in which i am using this query for

Scenario description:
So my scenario is basically i will query the splunk logs and check whether there are any success events for the below file

this.is.my.file.received.on.202306.test.json

and generate count. To calculate success events i will use Status="completed" key value in the query.

I am able to see logs successfully with the below query

index="xyz" file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json"

But when i tried using the below query i got nothing

index="xyz" [
    | makeresults count=1
    | eval file_sub{}.fs.file_name="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | fields file_sub{}.fs.file_name
    | format
]
| {the rest of your SPL}

--------------
I also tried running the static file name something like this but got no hits

index="xyz" [
    | makeresults count=1
    | eval file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json"
    | fields file_sub{}.fs.file_name
    | format
]
| {the rest of your SPL}

I also tried below query but got nothing

index="xyz" [ | eval search=strftime(now(), "this.is.my.file.received.on.%Y%m.test.json") | fields search]
---------------------
Also tried passing static file name but no results
index = "xyz" [ | eval search = "this.is.my.file.received.on.202306.test.json" | fields search]

ITWhisperer · ‎06-26-2023

Try it this way

index="xyz" [
    | makeresults count=1
    | eval _raw="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | rename _raw as file_sub{}.fs.file_name
    | fields - _time
]
| {the rest of your SPL}

isoutamo · ‎06-26-2023

Have you try

index="xyz" [ | makeresults
| eval search=strftime(now(), "this.is.my.file.received.on.%Y%m.test.json") 
| table search]

fredclown · ‎06-26-2023

Something like this should work.

index="xyz" [
    | makeresults count=1
    | eval fileName="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | fields fileName
    | format
]
| {the rest of your SPL}

isoutamo · ‎06-26-2023

Hi

you could do it like this answer https://community.splunk.com/t5/Alerting/Alert-when-triggered-Output-results-to-lookup-with-dynamic/...

This should work also on dashboard.
r. Ismo

How to pass current year and month to search query dynamically?

eval

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector