Splunk Search

Why do I have an error in my search?

Italy1358
Path Finder

It says that my eval is malformed, any suggestions?

 

| inputlookup US.csv
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3month="$3month$"]
| eval 3month=30*24*60*60
| eval relative_time = current_date "+3month"
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 

Labels (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

If looking for revisit to be within past 3 months

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 If looking for revisit to be within

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

3 months in future

 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Is this query run on a dashboard? What's your objective for the search?

I believe this line is the culprit

| eval relative_time = current_date "+3month"

What are you trying to do with this line? If you want to concatenate strings, use like this

| eval relative_time = tostring(current_date)."+3month"

If you want to add 3 months to current_date, try like this

| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")
0 Karma

Italy1358
Path Finder

It is for a dashboard, when a user is entered, the month to revisit is selected so I need a way to check when the user is entered against the month selected to say whether the user is active or expired. That is what I am trying to do here. It is for an allow list that I am making using a dashboard.
@somesoni2 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What all columns are there in the lookup US.csv?  When user selects $3month$ values, what values it holds (a date or month)?

0 Karma

Italy1358
Path Finder

These are the columns in the cvs:
current_date, user, category, department, description, revisit, duration
@somesoni2 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So do you want to check if US.csv->revisit (assuming that column has date value) is within 3months of current_date?

0 Karma

Italy1358
Path Finder

Yeah
@somesoni2 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

If looking for revisit to be within past 3 months

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

 If looking for revisit to be within

| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration

3 months in future

 

Italy1358
Path Finder

Here is a sample of my dashboard:

Italy1358_0-1653333210447.png

@somesoni2 

So the user chooses the month for revisit then from todays entry date to the next 3 months or so I want to see if there valid still or not.

0 Karma

Italy1358
Path Finder

User, description, revisit, action

The revisit is a dropdown with choices of 1 month, 2 month, 3 month, 4 month, 5 month, and 6 month.
@somesoni2 

0 Karma

Italy1358
Path Finder

Like this?
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3mon="$3month$"]
| eval 3mon=30*24*60*60
| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration
@somesoni2 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...