Solved: Re: Use strftime eval in same query

jsmithn · ‎10-24-2019

I am trying to create a search that evaluates today's date and uses that output string/field as part of the search:

**sourcetype=named | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | search nowstr**

The unique string needed is "(serial 2019102402)" and I've confirmed the field "nowstr" is that exact string. I think I need a subsearch but cannot get it working:

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | table nowstr ]

LOG EVENT

HOSTNAME named[32473]: 24-Oct-2019 09:00:10.656 notify: info: zone example.com/IN: sending notifies (serial 2019102402)

jsmithn · ‎10-24-2019

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

View solution in original post

woodcock · ‎10-25-2019

Like this:

| makeresults
| eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)"
| map search="search index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=named $nowstr$"

jsmithn · ‎10-24-2019

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

tiagofbmm · ‎10-24-2019

You can use a subsearch of makeresults. You apply your eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" within the makeresults and do a return $nowstr.

In the end something like this:

Search sourcetype=named [ | makeresults | eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr]

Let me know

jsmithn · ‎10-24-2019

Trying that "Error in 'search' command: Unable to parse the search: unbalanced parentheses.". But I did not know about the return command, using that I was able to get it to work. There's likely a better, more elegant solution, but it returns the results expected! 🙂

jsmithn · ‎10-24-2019

Also works with either "makeresults" or "gentimes start=-1". I don't know the difference, if one is better (more economical for search).

richgalloway · ‎10-24-2019

Why do you think you need a subsearch? How is the first query failing you?
Does 'nowstr' contain quotes? If not, that may explain the failure.

---
If this reply helps you, Karma would be appreciated.

jsmithn · ‎10-24-2019

I think that because of other posts in the community, seems like a subsearch is the way to accomplish what I want. The first query does not yield any results. 'nowstr' is defined by my statement above. Using today's date, its value is (serial 2019102402). No quotes.

Use strftime eval in same query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation