Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why "where" doesn't work with hight values ?

Abarny
Path Finder
‎04-24-2017 02:06 AM

Hi guys,

I have a problem on my request because when i use a short time like 7 days ou 15 days it is right but when i use values like 1 month or 6 months, the request doesn't give me result : 

index="xxx"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
|rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
|rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title |eval dateLimite =relative_time(now(),"-7dmon")   
| convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)|  where date > dateLimite 
|table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID

Thanks you for your help

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 05:32 AM

I try this solution but isn't work too but more easier to debugg I think. Can you tell me why DateAffect is not convert ?

And why this where block again the result ?

index="aaa"  
| rename "logs{}.*"  as * 
|fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
| eval acteur='user.firstName'." ".'user.lastName'  
| search acteur="XXX" 
| rename projectId as NOVA_ID 
| join[ search index="gtav2_projects"  projects{}.icma="*"  
| rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
| rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
| dedup Title| convert  timeformat="%d/ %m/ %Y" ctime(date) as DateAffect 
| eval debut=relative_time(now(),"-7mon") 
|  convert timeformat="%d/ %m/ %Y %H:%M" ctime(debut)  
| eval fin=relative_time(now(),"-1d")  
| convert timeformat="%d/ %m/ %Y %H:%M" ctime(fin)  
| where (DateAffect > debut AND DateAffect < fin )  
|table "Nom Client",Title,ICMA,debut,fin,date,DateAffect

Thanks for your answer.

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:12 AM

Can you check this part of your query -

|eval dateLimite =relative_time(now(),"-7dmon")

Looks like the second parameter needs to be fixed. If you want 7 months, it should be "-7mon".

0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:18 AM

it was a typing error, sorry ..

0 Karma
Reply

dineshraj9
Builder
‎04-24-2017 02:21 AM

Try moving the convert statement after the comparison. 

 index="xxx"  
 | rename "logs{}.*"  as * 
 |fields user.lastName,projectId,user.firstName, user.lastName,time,type,date 
 | eval acteur='user.firstName'." ".'user.lastName'  | search acteur="AAA" 
 |rename projectId as NOVA_ID | join[ search index="gtav2_projects"  projects{}.icma="*"  
 |rename projects{}.id as NOVA_ID, projects{}.icma as ICMA ] 
 | rename projects{}.title as Title ,projects{}.client.name as "Nom Client" 
 | dedup Title |eval dateLimite =relative_time(now(),"-7mon")   
 |  where date > dateLimite | convert timeformat="%d/%m/%Y %H:%M" ctime(dateLimite)
 |table "Nom Client",Title,ICMA,date, dateLimite, NOVA_ID
0 Karma
Reply

Abarny
Path Finder
‎04-24-2017 02:25 AM

I had try this but the request doesn't give all values

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...