Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do search results return nothing on a calculated check?

jsilverbears
Path Finder
‎07-28-2016 03:43 PM

I have a summary index that is holding lead information. One of the data points I created was the numeric day the lead was inserted for easy searching.

So some of the data looks like:
_time="2016-01-01 00:00:00" id=12345 name="Bill" day=4 etc...

I want to search where day is equal to today's day. For today, it would be Thursday so day=4 in this case.

The following are searches that I have done to get at the information and what they returned:

Search 1: index=summary title=lead_summary day=4
Return: Results I would expect.

Search 2: index=summary title=lead_summary day=strftime(now(),"%w")
Return: No results found.

Search 3: index=summary title=lead_summary | where day=strftime(now(),"%w")
Return: Results I would expect.

Search 4: index=summary title=lead_summary | eval days=strftime(now(),"%w") | where day=days
Return: Results I would expect.

I have already checked that the day column is set properly. Why am I getting no results for search 2? Search 1 grabs exactly what I need and only looks at what I need. Searches 3 and 4 go through all the data in question to get the information I need, too slow. Search 2 should work but doesn't. Again, what is going on?

P.S. I tried using tonumber() on the calculated day in the second search, just in case but it didn't work. It didn't change anything when I did that for the other searches.

0 Karma
Reply

lguinn2
Legend
‎07-28-2016 05:10 PM

Search number 2 will never work because strftime is a function. It can only be used with eval and where commands.

0 Karma
Reply

jsilverbears
Path Finder
‎07-29-2016 09:25 AM

now() is also a function but when I search for _time less than now() it finds all events. Conversely, when I search for _time greater than now() it finds nothing, as expected.

So what "functions" can you use without where and eval? Obviously, now() is in that list.

Here is the complete list of functions for your reference:
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions

Notice in Date and Time functions section both strftime and now are both listed.

0 Karma
Reply

jsilverbears
Path Finder
‎07-29-2016 10:03 AM

So I did tests with various functions in this list and it would appear that functions that take arguments will fail outright but the ones that don't will give.... unexpected results.

The following will all give the same answer:
index=summary title=lead_summary _time<now()
index=summary title=lead_summary _time<true()
index=summary title=lead_summary _time<false()
index=summary title=lead_summary _time<pi()

If you put greater than or you put equals to, they fail. This is an obvious bug since, at the very least, pi() shouldn't even be comparable to _time.

It would appear Iguinn is only partially right, but the documentation does not reflect that.

The documentation states,

You can use these functions with the eval, fieldformat, and where commands, and as part of evaluation expressions.

This does not state:

You must use those in eval, fieldformat, and where commands.

This should be clarified.

As I do not have the ability to make this the answer, hopefully, others will see this full and complete answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...