Splunk Search

How to set value for earliest and latest?

avaishsplunk
Path Finder

Unable to set value for earliest and latest, I am getting errors. Below is my search query.

eval earliest=if(strftime(now(),"%A")=="Monday","-3d@d","-1d@d") eval latest=if(strftime(now(),"%A")<>"Monday", "-3d@s","1d@s") index=XXX sourcetype=YYY |search "XXYZ"
               |spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
               |             spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
               |             spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
               | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
               |             spath output=OCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
               |             spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
               |             spath output=CCpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
               |             eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),OC),TimeZone),CC)
               |             mvexpand combined|eval combined=split(combined,",")|             eval  OpName=mvindex(combined,0)
               |             eval  EvType=mvindex(combined,1)
               |             eval state=mvindex(combined,2)
               |                                            eval Line_Count=mvindex(combined,3)
               |             eval OC=mvindex(combined,4)
               | eval TimeZone =mvindex(combined,5)
               |             eval CC=mvindex(combined,6)
               |where OpName="Total Reservations Count"
0 Karma
1 Solution

niketn
Legend

Kindly update your question with your query which needs assistance...

  1. You eval expressions are missing comma before default case 1==1 expression.
  2. Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:

    [| gentimes start=-1
    | eval earliest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
    $SearchOption$ == "Last_Week_Same_Day_Time","-7d@d",
    $SearchOption$ == "Last_Working_Day","-1d@d")
    | eval latest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday","-3d@s",
    $SearchOption$=="Last_Week_Same_Day_Time","-7d@s",
    $SearchOption$=="Last_Working_Day","-1d@s")
    | table earliest, latest
    | format "" "" "" "" "" ""]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Kindly update your question with your query which needs assistance...

  1. You eval expressions are missing comma before default case 1==1 expression.
  2. Also please choose appropriate default value since Others is not valid option for earliest or latest. Please find the snippet below:

    [| gentimes start=-1
    | eval earliest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday", "-3d@d",
    $SearchOption$ == "Last_Week_Same_Day_Time","-7d@d",
    $SearchOption$ == "Last_Working_Day","-1d@d")
    | eval latest=case($SearchOption$ == "Last_Working_Day" AND lower(strftime(now(),"%A"))="monday","-3d@s",
    $SearchOption$=="Last_Week_Same_Day_Time","-7d@s",
    $SearchOption$=="Last_Working_Day","-1d@s")
    | table earliest, latest
    | format "" "" "" "" "" ""]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Kindly accept if this answer has helped you fix the issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

avaishsplunk
Path Finder

The issue was with a missing comma " ' " in my query

0 Karma

avaishsplunk
Path Finder

I got the issue fixed, thanks for looking into this Rich!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What errors are you getting?

---
If this reply helps you, Karma would be appreciated.
0 Karma

avaishsplunk
Path Finder

Hello Rich,

Thanks for the reply,I was getting expression is malformed error after eval earliest, i got this fixed, below is my updated search query:

[| gentimes start=-1 
 | eval earliest=if(lower(strftime(now(),"%A"))="monday", "-3d@d", "-1d@d") 
 | eval latest=if(lower(strftime(now(),"%A"))="monday","-3d@s", "-1d@s")
 | table earliest, latest | format "" "" "" "" "" ""]  index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=ccpath=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),cc)
 | mvexpand combined|eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"|append
 [search earliest=@d   index=yy sourcetype=zz
 | search "xx"
 | spath output=OpName path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.operationName
 | spath output=EvType path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.eventTypeCode
 | spath output=state path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.state
 | spath output=Line_Count path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.recordCount
 | spath output=Org_Code path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute1
 | spath output=TimeZone path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute2
 | spath output=CDC_RDC path=payload.gpmGenerateEventLogs.gpmGenerateEventLog{}.attribute3
 | eval combined=mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(OpName,EvType),state),Line_Count),Org_Code),TimeZone),CDC_RDC)
 | mvexpand combined
 | eval combined=split(combined,",")
 | eval  OpName=mvindex(combined,0)
 | eval  EvType=mvindex(combined,1)
 | eval state=mvindex(combined,2)
 | eval Line_Count=mvindex(combined,3)
 | eval Org_Code =mvindex(combined,4)
 | eval TimeZone =mvindex(combined,5)
 | eval cc=mvindex(combined,6)
 | where OpName="abc"]
 | bucket _time span=1d
 | stats sum(Line_Count) AS Requests by _time
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...