- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Error in my search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It says that my eval is malformed, any suggestions?
| inputlookup US.csv
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3month="$3month$"]
| eval 3month=30*24*60*60
| eval relative_time = current_date "+3month"
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
If looking for revisit to be within past 3 months
| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, durationIf looking for revisit to be within
| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration3 months in future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this query run on a dashboard? What's your objective for the search?
I believe this line is the culprit
| eval relative_time = current_date "+3month"What are you trying to do with this line? If you want to concatenate strings, use like this
| eval relative_time = tostring(current_date)."+3month"If you want to add 3 months to current_date, try like this
| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is for a dashboard, when a user is entered, the month to revisit is selected so I need a way to check when the user is entered against the month selected to say whether the user is active or expired. That is what I am trying to do here. It is for an allow list that I am making using a dashboard.
@somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What all columns are there in the lookup US.csv? When user selects $3month$ values, what values it holds (a date or month)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are the columns in the cvs:
current_date, user, category, department, description, revisit, duration
@somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So do you want to check if US.csv->revisit (assuming that column has date value) is within 3months of current_date?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah
@somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
If looking for revisit to be within past 3 months
| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"-3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date <= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, durationIf looking for revisit to be within
| inputlookup US.csv
| rename COMMENT as "Below converts revisit column to epoch"
| eval current_date=strptime(revisit,"%Y-%m-%dt%H:%M:%S")
| eval 3month=30*24*60*60
| rename COMMENT as "Below finds 3 months from today (past date)"
| eval revisit_date=relative_time(now(),"+3mon")
| rename COMMENT as "Below checks if current date(revisit) is within 3 months from today, set to expire"
| eval duration = if(current_date >= revisit_date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration3 months in future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample of my dashboard:
@somesoni2
So the user chooses the month for revisit then from todays entry date to the next 3 months or so I want to see if there valid still or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
User, description, revisit, action
The revisit is a dropdown with choices of 1 month, 2 month, 3 month, 4 month, 5 month, and 6 month.
@somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this?
| eval current_date=strftime(time(),"%Y-%m-%dt%H:%M:%S")
| append [ | makeresults
| eval 3mon="$3month$"]
| eval 3mon=30*24*60*60
| eval relative_time=relative_time(strptime(current_date,"%Y-%m-%dt%H:%M:%S"),"+3mon")
| eval duration = if(current_date >= date, "Expired", "Valid")
| table current_date, user, category, department, description, revisit, duration
@somesoni2
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
