Splunk Search
Highlighted

How to set value for earliest and latest?

Path Finder

Unable to set value for earliest and latest, I am getting errors. Below is my search query.

eval earliest=if(strftime(now(),"%A")=="Monday","-3d@d","-1d@d") eval latest=if(strftime(now(),"%A")<>"Monday", "-3d@s","1d@s") index=XXX sourcetype=YYY |search "XXYZ"
               |spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
               |             spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
               |             spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
               | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
               |             spath output=OCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
               |             spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
               |             spath output=CCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
               |             eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),OC),TimeZone),CC)
               |             mvexpand combined|eval combined=split(combined,",")|             eval  OpName=mvindex(combined,0)
               |             eval  EvType=mvindex(combined,1)
               |             eval state=mvindex(combined,2)
               |                                            eval Line_Count=mvindex(combined,3)
               |             eval OC=mvindex(combined,4)
               | eval TimeZone =mvindex(combined,5)
               |             eval CC=mvindex(combined,6)
               |where OpName="Total Reservations Count"
0 Karma
Highlighted

Re: How to set value for earliest and latest?

SplunkTrust
SplunkTrust

What errors are you getting?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to set value for earliest and latest?

Path Finder

Hello Rich,

Thanks for the reply,I was getting expression is malformed error after eval earliest, i got this fixed, below is my updated search query:

[| gentimes start=-1 
 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d", "-1d@d") 
 | eval latest=if(lower(strftime(now(),"%A"))="monday","-3d@s", "-1d@s")
 | table earliest, latest | format "" "" "" "" "" ""]  index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=ccpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),cc)
 | mvexpand combined|eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"|append
 [search earliest=@d   index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),CDC_RDC)
 | mvexpand combined
 | eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"]
 | bucket _time span=1d
 | stats sum(Line_Count) AS Requests by _time
0 Karma
Highlighted

Re: How to set value for earliest and latest?

Path Finder

I got the issue fixed, thanks for looking into this Rich!

0 Karma
Highlighted

Re: How to set value for earliest and latest?

Path Finder

The issue was with a missing comma " ' " in my query

0 Karma
Highlighted

Re: How to set value for earliest and latest?

Legend

Kindly update your question with your query which needs assistance...

  1. You eval expressions are missing comma before default case 1==1 expression.
  2. Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:

    [| gentimes start=-1
    | eval earliest=case($SearchOption$ == "LastWorkingDay" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
    $SearchOption$ == "LastWeekSameDayTime","-7d@d",
    $SearchOption$ == "LastWorkingDay","-1d@d")
    | eval latest=case($SearchOption$ == "LastWorkingDay" AND lower(strftime(now(),"%A"))="monday","-3d@s",
    $SearchOption$=="LastWeekSameDayTime","-7d@s",
    $SearchOption$=="LastWorkingDay","-1d@s")
    | table earliest, latest
    | format "" "" "" "" "" ""]

View solution in original post

0 Karma
Highlighted

Re: How to set value for earliest and latest?

Legend

Kindly accept if this answer has helped you fix the issue.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.