Example:
source="D:\filepath\filepath\filepath\filepath\DebugImportHelper_7_25_2017.log"
This log file is created everyday with the current date. I want a search where is runs real time and only returns data from source that contains the current date. My current search looks like this (asterisks do not show, so $ represents where asterisks would be):
source=$"D:\filename\filename$ source=$filename\filename$ source=$clientID$ Start
| eval today=strftime(now(), "%m_%d_%Y") | where source=$today$
| eval time=strftime(round(strptime(full_Time, "%I:%M:%S %P")), "%H:%M:%S")
| eval late=if(time>"15:00:00", 1, 0)
| table Action, full_Date, full_Time, time, late, source
The "eval today=strftime(now(), "%m/%d/%Y") | where source=$today$" part returns the right date format, but the "where" does not work.
The where
clause doesn't support wildcards directly. You've to use either the like
or match
function with it. Where command requires % as wildcard character.
...| where like(source,"%".today."%") | ....
OR, match, which does 'contains' type of matching so you don't need a wildcard there.
...| where like(source,today) | ....
The where
clause doesn't support wildcards directly. You've to use either the like
or match
function with it. Where command requires % as wildcard character.
...| where like(source,"%".today."%") | ....
OR, match, which does 'contains' type of matching so you don't need a wildcard there.
...| where like(source,today) | ....
This was exactly what I was looking for. Thanks!