Splunk Search

iam receiving a message unbalanced quotes , i tried using back slash

pavanraghav
Explorer
 | eval e="$time_token.earliest$", l=$time_token.latest$"| eval e=case(match(e,"^\d+$"),e,e="" OR e="now" , "0" , true(), relative_time(now(),e)) | eval l=case(match(l,"^\d+$"),l,l="" OR l="now" , "2145916800", true(), relative_time(now(),l)) 
Tags (1)
0 Karma
1 Solution

renjith_nair
Legend

@pavanraghav ,

In your search above, you are missing a " in I=$time_token.latest$"

Also , please use the Code Sample to add your search snippets. I edited it for now

---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:

View solution in original post

0 Karma

arjunpkishore5
Motivator

your missing a quote in your eval

| eval e="$time_token.earliest$", l="$time_token.latest$"
| eval e=case(match(e,"^\d+$"),e,e="" or e="now" , "0" , true(), relative_time(now(),e)) 
| eval l=case(match(l,"^\d+$"),l,l="" or l="now" , "2145916800", true(), relative_time(now(),l)) 
0 Karma

pavanraghav
Explorer

thanks arjun

0 Karma

renjith_nair
Legend

@pavanraghav ,

In your search above, you are missing a " in I=$time_token.latest$"

Also , please use the Code Sample to add your search snippets. I edited it for now

---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

pavanraghav
Explorer

thanks renjith

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...