Splunk Search

Use strftime eval in same query

jsmithn
Path Finder

I am trying to create a search that evaluates today's date and uses that output string/field as part of the search:

**sourcetype=named | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | search nowstr**

The unique string needed is "(serial 2019102402)" and I've confirmed the field "nowstr" is that exact string. I think I need a subsearch but cannot get it working:

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | table nowstr ]

LOG EVENT

HOSTNAME named[32473]: 24-Oct-2019 09:00:10.656 notify: info: zone example.com/IN: sending notifies (serial 2019102402)

0 Karma
1 Solution

jsmithn
Path Finder

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults
| eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)"
| map search="search index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=named $nowstr$"
0 Karma

jsmithn
Path Finder

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

View solution in original post

0 Karma

tiagofbmm
Influencer

You can use a subsearch of makeresults. You apply your eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" within the makeresults and do a return $nowstr.

In the end something like this:

Search sourcetype=named [ | makeresults | eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr]

Let me know

jsmithn
Path Finder

Trying that "Error in 'search' command: Unable to parse the search: unbalanced parentheses.". But I did not know about the return command, using that I was able to get it to work. There's likely a better, more elegant solution, but it returns the results expected! 🙂

0 Karma

jsmithn
Path Finder

Also works with either "makeresults" or "gentimes start=-1". I don't know the difference, if one is better (more economical for search).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why do you think you need a subsearch? How is the first query failing you?
Does 'nowstr' contain quotes? If not, that may explain the failure.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

jsmithn
Path Finder

I think that because of other posts in the community, seems like a subsearch is the way to accomplish what I want. The first query does not yield any results. 'nowstr' is defined by my statement above. Using today's date, its value is (serial 2019102402). No quotes.

0 Karma