Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why "where" doesn't work with hight values ?

Abarny
Path Finder
‎04-24-2017 02:06 AM

Hi guys,

I have a problem on my request because when i use a short time like 7 days ou 15 days it is right but when i use values like 1 month or 6 months, the request doesn't give me result : 

index="xxx"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
|rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
|rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title |eval dateLimite =relative_time(now(),"-7dmon")   
| convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)|  where date > dateLimite 
|table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID

Thanks you for your help

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 05:32 AM

I try this solution but isn't work too but more easier to debugg I think. Can you tell me why DateAffect is not convert ?

And why this where block again the result ?

index="aaa"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  
| search acteur="XXX" 
| rename projectId as NOVA_ID 
| join[ search index="gtav2_projects"  projects{}.icma="*"  
| rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title| convert  timeformat="%d/ %m/ %Y" ctime(date) as DateAffect 
| eval debut=relative_time(now(),"-7mon") 
|  convert timeformat="%d/ %m/ %Y %H:%M" ctime(debut)  
| eval fin=relative_time(now(),"-1d")  
| convert timeformat="%d/ %m/ %Y %H:%M" ctime(fin)  
| where (DateAffect > debut AND DateAffect < fin )  
|table "Nom Client",Title,ICMA,debut,fin,date,DateAffect

Thanks for your answer.

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:12 AM

Can you check this part of your query -

|eval dateLimite =relative_time(now(),"-7dmon")

Looks like the second parameter needs to be fixed. If you want 7 months, it should be "-7mon".

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:18 AM

it was a typing error, sorry ..

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:21 AM

Try moving the convert statement after the comparison. 

 index="xxx"  
 | rename "logs{}.*"  as * 
 |fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
 | eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
 |rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
 |rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
 | rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
 | dedup Title |eval dateLimite =relative_time(now(),"-7mon")   
 |  where date > dateLimite | convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)
 |table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID
0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:25 AM

I had try this but the request doesn't give all values

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...