- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If statement for earliest time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that needs to either snap to 7am ( -7h@d+7h) or 7pm ( -7h@d+19h) depending on whether the time of search ( now()) is between 7am-7pm or 7pm-7am. For example, if it is 8:30am, I need to see my search using earliest=-7h@d+7h, but if it is 21:15, I need see my search using earliest=-7h@d+19h.
I tried the following if statement, but it doesn't work.
earliest=if(now()>="-7h@d+7h" AND now()<"-7h@d+19h", "-7h@d+7h", "-7h@d+19h")
This is for an embedded report, so I wasn't thinking I could use any XML or tokens.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some minor typos, but otherwise this works. Thank you!
| makeresults
| eval earliest=if(now()>=relative_time(now(),"-7h@d+7h") AND now()<relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest$ Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bonus question - how do I escape quotes without using XML (this code is going in a macro)?
My map search pipe needs to look like this:
| map search = "search earliest=$earliest$ index=my_index Process="Thing & Thing" Parameter=my_parameter"
I've determined that the quotes around "Thing & Thing" are messing up the search string.
My workaround is to add another line below map search with
| search Process="Thing & Thing"
but this seems really kludgy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can escape by using ... \"Thing & Thing\" ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To handle that in search itself, you need to override earliest using subsearch, like this
your base search [| gentimes start=-1 | eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h") | table earliest ] ...| rest of the search
I've used the relative time modifier from your question, so check if that's giving you correct values.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
