Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Want to change the epoch value dynamically using v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Want to change the epoch value dynamically using variable
Hi,
I am trying to change the EPOCH value in search having where clause in datamodel using variable but not working so please help as i have tried different options but didn't work.
from datamodel=Qualys_prod_ext.Qualys_prod where (nodename = Qualys_prod) Qualys_prod.QID=* Qualys_prod.IP=* Qualys_prod.owner="SRE-DIS-ECO-FEA" Qualys_prod.managed=* Qualys_prod.sev="*" Qualys_prod.LAST_FOUND_DATETIME_EPOCH <1600411282 AND Qualys_prod.LAST_FOUND_DATETIME_EPOCH > 1596808800 groupby Qualys_prod.IP, Qualys_prod.signature, Qualys_prod.owner, Qualys_prod.QID, Qualys_prod.CVSS_CUSTOM, Qualys_prod.FIRST_FOUND_DATETIME|search Qualys_prod.STATUS=* NOT Qualys_prod.STATUS=FIXED
so want to change from Qualys_prod.LAST_FOUND_DATETIME_EPOCH < 1600411282 to Qualys_prod.LAST_FOUND_DATETIME_EPOCH < epochtime variable but having where clause error. I have defined the variable like
| eval epochtime=now()
but didn't help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any other suggestion please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from datamodel=Qualys_prod_ext.Qualys_prod where (nodename = Qualys_prod) Qualys_prod.QID=* Qualys_prod.IP=* Qualys_prod.owner="SRE-DIS-ECO-FEA" Qualys_prod.managed=* Qualys_prod.sev="*" Qualys_prod.LAST_FOUND_DATETIME_EPOCH < now() AND Qualys_prod.LAST_FOUND_DATETIME_EPOCH > 1597759200 groupby Qualys_prod.IP, Qualys_prod.signature, Qualys_prod.owner, Qualys_prod.QID, Qualys_prod.CVSS_CUSTOM, Qualys_prod.FIRST_FOUND_DATETIME|search Qualys_prod.STATUS=* NOT Qualys_prod.STATUS=FIXED
When i change the search from Qualys_prod.LAST_FOUND_DATETIME_EPOCH < 1600417128 to Qualys_prod.LAST_FOUND_DATETIME_EPOCH < now() it throws an error
Error in 'TsidxStats': WHERE clause is not an exact query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's the error ?
Tried below and working fine
|makeresults count=5|eval epochtime=now()|eval epochtime=epochtime - 10
|where epochtime < now()What goes around comes around. If it helps, hit it with Karma 🙂
Splunk Answers Content Calendar, July Edition I
Secure Your Future: Mastering Upgrade Readiness for Splunk 10
Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM
