Splunk Search

Why do I have an error in my search?

Italy1358
Path Finder

It says that my eval is malformed, any suggestions?

 

| inputlookup US.csv
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3month="$3month$"]
| eval 3month=30*24*60*60
| eval relative_time = current_date "+3month"
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

If looking for revisit to be within past 3 months

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 If looking for revisit to be within

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

3 months in future

 

View solution in original post

somesoni2
Revered Legend

Is this query run on a dashboard? What's your objective for the search?

I believe this line is the culprit

| eval relative_time = current_date "+3month"

What are you trying to do with this line? If you want to concatenate strings, use like this

| eval relative_time = tostring(current_date)."+3month"

If you want to add 3 months to current_date, try like this

| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")
0 Karma

Italy1358
Path Finder

It is for a dashboard, when a user is entered, the month to revisit is selected so I need a way to check when the user is entered against the month selected to say whether the user is active or expired. That is what I am trying to do here. It is for an allow list that I am making using a dashboard.
@somesoni2 

0 Karma

somesoni2
Revered Legend

What all columns are there in the lookup US.csv?  When user selects $3month$ values, what values it holds (a date or month)?

0 Karma

Italy1358
Path Finder

These are the columns in the cvs:
current_date, user, category, department, description, revisit, duration
@somesoni2 

0 Karma

somesoni2
Revered Legend

So do you want to check if US.csv->revisit (assuming that column has date value) is within 3months of current_date?

0 Karma

Italy1358
Path Finder

Yeah
@somesoni2 

0 Karma

somesoni2
Revered Legend

Give this a try

If looking for revisit to be within past 3 months

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 If looking for revisit to be within

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

3 months in future

 

Italy1358
Path Finder

Here is a sample of my dashboard:

Italy1358_0-1653333210447.png

@somesoni2 

So the user chooses the month for revisit then from todays entry date to the next 3 months or so I want to see if there valid still or not.

0 Karma

Italy1358
Path Finder

User, description, revisit, action

The revisit is a dropdown with choices of 1 month, 2 month, 3 month, 4 month, 5 month, and 6 month.
@somesoni2 

0 Karma

Italy1358
Path Finder

Like this?
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3mon="$3month$"]
| eval 3mon=30*24*60*60
| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration
@somesoni2 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...