Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass current year and month to search query dynamically?

splunkNewbie007
Loves-to-Learn
‎06-26-2023 10:40 AM

Hi Team,

 

I am trying to write a search query where it will find the existing filename is present in the logs or not.

Here is my static query looks like

index="xyz" fileName="this.is.my.file.received.on.202306.test.json" 

The below is the query i tried to pass the dynamic part into the filename but couldn't 

index="xyz" fileName="this.is.my.file.received.on.{yourtime}.test.json" | eval yourtime = strftime(_time, "%Y-%m")

  My questiions:

1. How can pass the dynamic part into the query ?
2. Can i use the same search query logic for creating a dashboard too ?

Any help is appreciated.

Thanks

Labels (1)
Labels
0 Karma
Reply

splunkNewbie007
Loves-to-Learn
‎06-26-2023 01:40 PM

Thanks  @fredclown @isoutamo for your suggestions. But the suggestions not worked me. There are few things i forgot to mention in the question. They are
1) the fileName field is a nested field
2) The scenario in which i am using this query for

Scenario description:
So my scenario is basically i will query the splunk logs and check whether there are any success events for the below file 

this.is.my.file.received.on.202306.test.json

and generate count. To calculate success events i will use Status="completed" key value in the query. 

I am able to see logs successfully with the below query

index="xyz" file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json" 


But when i tried using the below query i got nothing

 

index="xyz" [
    | makeresults count=1
    | eval file_sub{}.fs.file_name="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | fields file_sub{}.fs.file_name
    | format
]
| {the rest of your SPL}

--------------
I also tried running the static file name something like this but got no hits

index="xyz" [
    | makeresults count=1
    | eval file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json"
    | fields file_sub{}.fs.file_name
    | format
]
| {the rest of your SPL}

 


I also tried below query but got nothing

index="xyz" [ | eval search=strftime(now(), "this.is.my.file.received.on.%Y%m.test.json") | fields search]
---------------------
Also tried passing static file name but no results
index = "xyz" [ | eval search = "this.is.my.file.received.on.202306.test.json" | fields search]

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-26-2023 11:13 PM

Try it this way

index="xyz" [
    | makeresults count=1
    | eval _raw="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | rename _raw as file_sub{}.fs.file_name
    | fields - _time
]
| {the rest of your SPL}
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-26-2023 09:53 PM

Have you try

index="xyz" [ | makeresults
| eval search=strftime(now(), "this.is.my.file.received.on.%Y%m.test.json") 
| table search]

 

Reply

fredclown
Builder
‎06-26-2023 12:23 PM

Something like this should work.

index="xyz" [
    | makeresults count=1
    | eval fileName="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
    | fields fileName
    | format
]
| {the rest of your SPL}
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-26-2023 11:59 AM

Hi

you could do it like this answer https://community.splunk.com/t5/Alerting/Alert-when-triggered-Output-results-to-lookup-with-dynamic/...

This should work also on dashboard.
r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top