Thanks @fredclown @isoutamo for your suggestions. But the suggestions not worked me. There are few things i forgot to mention in the question. They are 1) the fileName field is a nested field 2) The scenario in which i am using this query for Scenario description: So my scenario is basically i will query the splunk logs and check whether there are any success events for the below file this.is.my.file.received.on.202306.test.json and generate count. To calculate success events i will use Status="completed" key value in the query. I am able to see logs successfully with the below query index="xyz" file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json" But when i tried using the below query i got nothing index="xyz" [
| makeresults count=1
| eval file_sub{}.fs.file_name="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
| fields file_sub{}.fs.file_name
| format
]
| {the rest of your SPL}
--------------
I also tried running the static file name something like this but got no hits
index="xyz" [
| makeresults count=1
| eval file_sub{}.fs.file_name="this.is.my.file.received.on.202306.test.json"
| fields file_sub{}.fs.file_name
| format
]
| {the rest of your SPL} I also tried below query but got nothing index="xyz" [ | eval search=strftime(now(), "this.is.my.file.received.on.%Y%m.test.json") | fields search] --------------------- Also tried passing static file name but no results index = "xyz" [ | eval search = "this.is.my.file.received.on.202306.test.json" | fields search]
... View more