- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a search that evaluates today's date and uses that output string/field as part of the search:
**sourcetype=named | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | search nowstr**
The unique string needed is "(serial 2019102402)" and I've confirmed the field "nowstr" is that exact string. I think I need a subsearch but cannot get it working:
sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | table nowstr ]
LOG EVENT
HOSTNAME named[32473]: 24-Oct-2019 09:00:10.656 notify: info: zone example.com/IN: sending notifies (serial 2019102402)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"
Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)"
| map search="search index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=named $nowstr$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"
Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use a subsearch of makeresults. You apply your eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" within the makeresults and do a return $nowstr.
In the end something like this:
Search sourcetype=named [ | makeresults | eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr]
Let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying that "Error in 'search' command: Unable to parse the search: unbalanced parentheses.". But I did not know about the return command, using that I was able to get it to work. There's likely a better, more elegant solution, but it returns the results expected! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also works with either "makeresults" or "gentimes start=-1". I don't know the difference, if one is better (more economical for search).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do you think you need a subsearch? How is the first query failing you?
Does 'nowstr' contain quotes? If not, that may explain the failure.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that because of other posts in the community, seems like a subsearch is the way to accomplish what I want. The first query does not yield any results. 'nowstr' is defined by my statement above. Using today's date, its value is (serial 2019102402). No quotes.
