Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval field value evaluating correctly, but has no impact when used later down the road in the search query

des_esse_err
Explorer
‎12-15-2014 06:13 AM

It's a simple search query. It needs to find events containing a file name which will change every month.

The eval command should return YYmm* (1412*).

This query works
The eval field signatureVersionCriteria has been replaced -hard coded- with the value it should hold.
The field values shown in a table do indeed display "1412*" for the signatureVersionCriteria field.

index=xxx_app_sep | eval signatureVersionCriteria = strftime(now(), "%y%m") + "*" | search signature_version="1412*"| table signature_version, signatureVersionCriteria

This query does not work
It returns nothing.

index=xxx_app_sep | eval signatureVersionCriteria = strftime(now(), "%y%m") + "*" | search signature_version = signatureVersionCriteria | table signature_version, signatureVersionCriteria

Went through quite a lots of posts, similar to this, but could not figure it out.
Many thanks.
D

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎12-15-2014 06:20 AM

Try the following:

index=xxx_app_sep | eval signatureVersionCriteria = strftime(now(), "%y%m") | where like(signature_version,signatureVersionCriteria."%") | table signature_version, signatureVersionCriteria

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎12-15-2014 06:20 AM

Try the following:

index=xxx_app_sep | eval signatureVersionCriteria = strftime(now(), "%y%m") | where like(signature_version,signatureVersionCriteria."%") | table signature_version, signatureVersionCriteria
Reply
Solved! Jump to solution

des_esse_err
Explorer
‎12-15-2014 07:14 AM

Hello! Many thanks it does indeed work.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-15-2014 08:16 AM

Hi David,

If Aleksander's answer has solved your problem, please accept the answr by clicking on the tick-mark+Accept button below the answer. This will help other users with similar problem to identify the correct solution and you both will get points.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...