Unable to set value for earliest and latest, I am getting errors. Below is my search query.
eval earliest=if(strftime(now(),"%A")=="Monday","-3d@d","-1d@d") eval latest=if(strftime(now(),"%A")<>"Monday", "-3d@s","1d@s") index=XXX sourcetype=YYY |search "XXYZ"
|spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
| spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
| spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
| spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
| spath output=OCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
| spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
| spath output=CCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
| eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),OC),TimeZone),CC)
| mvexpand combined|eval combined=split(combined,",")| eval OpName=mvindex(combined,0)
| eval EvType=mvindex(combined,1)
| eval state=mvindex(combined,2)
| eval Line_Count=mvindex(combined,3)
| eval OC=mvindex(combined,4)
| eval TimeZone =mvindex(combined,5)
| eval CC=mvindex(combined,6)
|where OpName="Total Reservations Count"
Kindly update your question with your query which needs assistance...
Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:
[| gentimes start=-1
| eval earliest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
$SearchOption$ == "Last_Week_Same_Day_Time","-7d@d",
$SearchOption$ == "Last_Working_Day","-1d@d")
| eval latest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday","-3d@s",
$SearchOption$=="Last_Week_Same_Day_Time","-7d@s",
$SearchOption$=="Last_Working_Day","-1d@s")
| table earliest, latest
| format "" "" "" "" "" ""]
Kindly update your question with your query which needs assistance...
Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:
[| gentimes start=-1
| eval earliest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
$SearchOption$ == "Last_Week_Same_Day_Time","-7d@d",
$SearchOption$ == "Last_Working_Day","-1d@d")
| eval latest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday","-3d@s",
$SearchOption$=="Last_Week_Same_Day_Time","-7d@s",
$SearchOption$=="Last_Working_Day","-1d@s")
| table earliest, latest
| format "" "" "" "" "" ""]
Kindly accept if this answer has helped you fix the issue.
The issue was with a missing comma " ' " in my query
I got the issue fixed, thanks for looking into this Rich!
What errors are you getting?
Hello Rich,
Thanks for the reply,I was getting expression is malformed error after eval earliest, i got this fixed, below is my updated search query:
[| gentimes start=-1
| eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d", "-1d@d")
| eval latest=if(lower(strftime(now(),"%A"))="monday","-3d@s", "-1d@s")
| table earliest, latest | format "" "" "" "" "" ""] index=yy sourcetype=zz
| search "xx"
| spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
| spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
| spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
| spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
| spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
| spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
| spath output=ccpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
| eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),cc)
| mvexpand combined|eval combined=split(combined,",")
| eval OpName=mvindex(combined,0)
| eval EvType=mvindex(combined,1)
| eval state=mvindex(combined,2)
| eval Line_Count=mvindex(combined,3)
| eval Org_Code =mvindex(combined,4)
| eval TimeZone =mvindex(combined,5)
| eval cc=mvindex(combined,6)
| where OpName="abc"|append
[search earliest=@d index=yy sourcetype=zz
| search "xx"
| spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
| spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
| spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
| spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
| spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
| spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
| spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
| eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),CDC_RDC)
| mvexpand combined
| eval combined=split(combined,",")
| eval OpName=mvindex(combined,0)
| eval EvType=mvindex(combined,1)
| eval state=mvindex(combined,2)
| eval Line_Count=mvindex(combined,3)
| eval Org_Code =mvindex(combined,4)
| eval TimeZone =mvindex(combined,5)
| eval cc=mvindex(combined,6)
| where OpName="abc"]
| bucket _time span=1d
| stats sum(Line_Count) AS Requests by _time