Splunk Search

How to use _time in where clause with like

ankurborah
Explorer

I have to use a date filed fields.updated to filter records the I have to filter based on matching Year-Month as below.

index=Jira_ticket_idx*|rename fields.updated as NewDate|eval NewDate=strptime(strftime(strptime(NewDate, "%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d"),"%Y-%m-%d")|eval _time=NewDate|where like(_time,"%2017-08%")|timechart count

Need experts help.

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The strptime function returns an epoch (integer) timestamp. This means the like function will fail because one can't compare an integer to a string. Try this query.

index=Jira_ticket_idx*|rename fields.updated as NewDate|where like(NewDate, "%2017-08%") | eval _time=strptime(NewDate, "%Y-%m-%dT%H:%M:%S") | timechart count
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The strptime function returns an epoch (integer) timestamp. This means the like function will fail because one can't compare an integer to a string. Try this query.

index=Jira_ticket_idx*|rename fields.updated as NewDate|where like(NewDate, "%2017-08%") | eval _time=strptime(NewDate, "%Y-%m-%dT%H:%M:%S") | timechart count
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...