Solved: How to use _time in where clause with like

ankurborah · ‎08-11-2017

I have to use a date filed fields.updated to filter records the I have to filter based on matching Year-Month as below.

index=Jira_ticket_idx*|rename fields.updated as NewDate|eval NewDate=strptime(strftime(strptime(NewDate, "%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d"),"%Y-%m-%d")|eval _time=NewDate|where like(_time,"%2017-08%")|timechart count

Need experts help.

richgalloway · ‎08-11-2017

The strptime function returns an epoch (integer) timestamp. This means the like function will fail because one can't compare an integer to a string. Try this query.

index=Jira_ticket_idx*|rename fields.updated as NewDate|where like(NewDate, "%2017-08%") | eval _time=strptime(NewDate, "%Y-%m-%dT%H:%M:%S") | timechart count

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-11-2017

The strptime function returns an epoch (integer) timestamp. This means the like function will fail because one can't compare an integer to a string. Try this query.

index=Jira_ticket_idx*|rename fields.updated as NewDate|where like(NewDate, "%2017-08%") | eval _time=strptime(NewDate, "%Y-%m-%dT%H:%M:%S") | timechart count

---
If this reply helps you, Karma would be appreciated.

How to use _time in where clause with like

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms