Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why "where" doesn't work with hight values ?

Abarny
Path Finder
‎04-24-2017 02:06 AM

Hi guys,

I have a problem on my request because when i use a short time like 7 days ou 15 days it is right but when i use values like 1 month or 6 months, the request doesn't give me result : 

index="xxx"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
|rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
|rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title |eval dateLimite =relative_time(now(),"-7dmon")   
| convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)|  where date > dateLimite 
|table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID

Thanks you for your help

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 05:32 AM

I try this solution but isn't work too but more easier to debugg I think. Can you tell me why DateAffect is not convert ?

And why this where block again the result ?

index="aaa"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  
| search acteur="XXX" 
| rename projectId as NOVA_ID 
| join[ search index="gtav2_projects"  projects{}.icma="*"  
| rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title| convert  timeformat="%d/ %m/ %Y" ctime(date) as DateAffect 
| eval debut=relative_time(now(),"-7mon") 
|  convert timeformat="%d/ %m/ %Y %H:%M" ctime(debut)  
| eval fin=relative_time(now(),"-1d")  
| convert timeformat="%d/ %m/ %Y %H:%M" ctime(fin)  
| where (DateAffect > debut AND DateAffect < fin )  
|table "Nom Client",Title,ICMA,debut,fin,date,DateAffect

Thanks for your answer.

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:12 AM

Can you check this part of your query -

|eval dateLimite =relative_time(now(),"-7dmon")

Looks like the second parameter needs to be fixed. If you want 7 months, it should be "-7mon".

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:18 AM

it was a typing error, sorry ..

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:21 AM

Try moving the convert statement after the comparison. 

 index="xxx"  
 | rename "logs{}.*"  as * 
 |fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
 | eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
 |rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
 |rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
 | rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
 | dedup Title |eval dateLimite =relative_time(now(),"-7mon")   
 |  where date > dateLimite | convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)
 |table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID
0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:25 AM

I had try this but the request doesn't give all values

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...