Solved: How to write a search using an eval object with a ...

sfellin · ‎04-19-2016

I am trying to use an eval object as the basis of a search pattern along with a wildcard and Splunk is not happy with my efforts.

I have a field (DATE_FIELD) with data such as 20160419_003425 and I'm trying to collect all of the current day's events only:

create a variable with today's date > search against a field using variable + wildcard

Tried:
index=myIndex | eval now=now(), today=strftime(now(), "%Y%m%d") | search DATE_FIELD = `today`* >> throws error
index=myIndex | eval now=now(), today=strftime(now(), "%Y%m%d") | search DATE_FIELD = today*
index=myIndex | eval now=now(), today=strftime(now(), "%Y%m%d") | where DATE_FIELD = `today`*
index=myIndex | eval now=now(), today=strftime(now(), "%Y%m%d") | where DATE_FIELD = today*
index=myIndex | eval now=now(), today=strftime(now(), "%Y%m%d") | where like(DATE_FIELD, "today%")

Feel like there's an obvious way to accomplish this, but haven't located it yet; requirement is current day (and current day only). Of course, enjoy the simpler solution rather than over-engineering (sure I could make a three-line regex...)

somesoni2 · ‎04-19-2016

Try like this

index=myindex | where LIKE(DATE_FIELD,strftime(now(), "%Y%m%d") ."_%")

OR

index=myindex | where match(DATE_FIELD,strftime(now(), "%Y%m%d") ."_.*")

View solution in original post

somesoni2 · ‎04-19-2016

Try like this

index=myindex | where LIKE(DATE_FIELD,strftime(now(), "%Y%m%d") ."_%")

OR

index=myindex | where match(DATE_FIELD,strftime(now(), "%Y%m%d") ."_.*")

sfellin · ‎04-19-2016

Thanks; I used a regex on the field to capture the first 8 digits to compare it to the eval but this is a cleaner approach -- switched!

How to write a search using an eval object with a wildcard?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services