Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- can i pass a subsearch argument as a greater than ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_jgpm_
Communicator
02-17-2017
01:37 PM
I've looked into format and it doesn't look like I can replace the "=".
I want to change
( ( DateStart="12/14/2016" AND TimeEnd="1:38:27 PM" AND TimeStart="1:38:27 PM" ) )
to
( ( DateStart="12/14/2016" AND TimeEnd<"1:38:27 PM" AND TimeStart>"1:38:20 PM" ) )
Thanks in advance for any suggestions on how to fix this.
I'm on 6.4.3.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
02-17-2017
02:48 PM
Updated answer - found a way, more or less -
| makeresults
| eval DateStart="12/14/2016" | eval TimeEnd="1:38:27 PM" |eval TimeStart="1:38:27 PM"
| table DateStart TimeStart TimeEnd
| format
| append
[| makeresults | eval DateStart="12/14/2016" | eval TimeEnd="1:38:27 PM" |eval TimeStart="1:38:27 PM"
| table DateStart TimeStart TimeEnd
| eval myfield=mvappend("DateStart=".DateStart,"TimeStart>".TimeStart, "TimeEnd<".TimeEnd)
| table myfield
| mvexpand myfield
| rename myfield as search
| format ( ( " " ) AND )
| rex field=search mode=sed "s/\( \"/( /g"
| rex field=search mode=sed "s/([=<>])/\1\"/g"
]
which gives this results for comparison
( ( DateStart="12/14/2016" AND TimeEnd="1:38:27 PM" AND TimeStart="1:38:27 PM" ) )
( ( DateStart="12/14/2016" ) AND ( TimeStart>"1:38:27 PM" ) AND ( TimeEnd<"1:38:27 PM" ) )
So those two results LOOK equivalent.
However, I'm leery of the date format, since you'd be comparing to a literal, and I don't think that's what you really want. Assuming your returned search values were in epoch time format, it turns out the code works the same --
| makeresults
| eval DateStart=strptime("12/14/2016","%m/%d/%Y")
| eval TimeEnd=strptime("12/14/2016 1:38:27 PM","%m/%d/%Y %l:%M:%S %p")
| eval TimeStart=strptime("12/14/2016 1:38:27 PM","%m/%d/%Y %l:%M:%S %p")
| table DateStart TimeStart TimeEnd
| format
| append
[| makeresults
| eval DateStart=strptime("12/14/2016","%m/%d/%Y")
| eval TimeEnd=(strptime("1:38:27 PM","%l:%M:%S %p")%86400 +DateStart)
| eval TimeStart=(strptime("1:38:27 PM","%l:%M:%S %p")%86400 +DateStart)
| table DateStart TimeStart TimeEnd
| eval myfield=mvappend("DateStart=".DateStart,"TimeStart>".TimeStart, "TimeEnd<".TimeEnd)
| table myfield
| mvexpand myfield
| rename myfield as search
| format ( ( " " ) AND )
| rex field=search mode=sed "s/\( \"/( /g"
| rex field=search mode=sed "s/([=<>]+)/\1\"/g"
]
produces this
( ( DateStart="1481673600.000000" AND TimeEnd="1481722707.000000"
AND TimeStart="1481722707.000000" ) )
( ( DateStart="1481673600.000000" ) AND ( TimeStart>"1481722707.000000" )
AND ( TimeEnd<"1481722707.000000" ) )
Made a slight update to the sed to make sure it would work for >= and <=
Updated to make sure the start and end time are relative to the date.
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
