Re: splunk

Siddharthnegi · ‎01-31-2024

lets say i have a query which is giving no result at present date but may give in future .
In this query I have calculated timeval = strftime(_time,"%y-%m-%d") , since there is not data coming so "_time" will be empty hence timeval does not give any result . But still I have to show timeval with the help of present time , how can i do that .
i also used at the end of query appendpipe[stats count| where count==0
eval timeval=strftime(now(),%d/%m/%Y) | where count==0] but still no result.

ITWhisperer · ‎01-31-2024

Your time format string should be in double quotes

| makeresults
| where false()
| appendpipe
    [stats count
    | where count=0
    | eval timeval=strftime(now(), "%d/%m/%Y")
    | where count = 0]

Siddharthnegi · ‎01-31-2024

sorry , I have put them in double inverted commas , still no results

ITWhisperer · ‎01-31-2024

If you run the code snippet I shared, you should see results i.e. it works. This seems to imply that there is something else going on in your search which is causing you to have no results. Please share your full search in a code block </>

splunk

other

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel