Splunk Search

Why the function "strftime" not working in my search query?

chrismok
Path Finder

alt textIf I use this, no event return

sourcetype=abc source="*"+strftime(now(),"%Y%m%d")+"*"

But when I modify the query to

sourcetype=abc source="*20141104*"

There is a events return.

May I know is that a bug in Splunk?

Tags (1)
0 Karma
1 Solution

peter_krammer
Communicator

Here is what you are looking for

sourcetype=abc [|stats count | eval source = "*"+strftime(now(),"%Y%m%d")+"*" | fields source | format]

Edited Answer to show the better performance solution found by davebrooking, but optimized a little by me.

View solution in original post

peter_krammer
Communicator

I just tried out your solution and it works, if eval-based definition is checked.
So thank you.

MuS
Legend

you're welcome :winking_face:

MuS
Legend

looking at this picture, it's absolutely clear why your first search is the fastest: using any fields like index or source in the base search will speed up the search. Using a sub search will basically double search times but also speeds up the base search because you can use source in it and mine example simply does not provide any source field in the base search.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...