How to export results from makeresult in query bod...

malear_ion · ‎07-11-2019

For example I have this query:

index=en_amp_api 
    [ | makeresults 
    | eval time = relative_time(now(),"-h@w1") 
    | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
    | eval earliest=strptime(format,"%m/%d/%Y") 
    | eval latest=relative_time(earliest,"+24h@h") 
| table earliest latest ]
| table earliest, latest
| ....

I see values of earliest and latest with table only [ ... ], but I can not see values after closing brackets !

I wont to see the value after closing brackets ! How is that possible?

jitendragupta · ‎07-11-2019

As per my understanding, u want to generate earliest and latest epochs from makeresult query and want to pass it to your index query.
Please try this code:

| makeresults 
     | eval time = relative_time(now(),"-h@w1") 
     | eval format = strftime(time, "%m/%d/%Y:%H:%M:%S") 
     | eval earliest=strptime(format,"%m/%d/%Y") 
     | eval latest=relative_time(earliest,"+24h@h") | table earliest latest 
     | map maxsearches=1000 search="search index=en_amp_api earliest=$earliest$ latest=$latest$ | table <list of fields> "

Let me know if it work.

malear_ion · ‎07-12-2019

Unfortunately, the proposed solution does not work

jitendragupta · ‎07-12-2019

What is the error you are getting? Please provide some screenshot.

malear_ion · ‎07-12-2019

I have different case:

| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2
because the search work only on first case.

I try something this to do earliest and latest as variables:

| makeresults
| eval time = relative_time(now(),"-h@w1")
| eval format = strftime(time, "%m/%d/%Y:%H:%M:%S")
| eval earliest = strptime(format,"%m/%d/%Y")
| eval latest = relative_time(earliest,"+24h@h")
| eval format_earliest = strftime(earliest,"%m/%d/%Y %H:%M:%S")
| eval format_latest = strftime(latest,"%m/%d/%Y %H:%M:%S")
| table format_earliest format_latest

malear_ion · ‎07-12-2019

Unfortunately, the proposed solution does not work ...
I have different case:

| eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month")
| eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")
Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

malear_ion · ‎07-12-2019

I have different case:

  | eval this_week = case(last_seen < strftime(relative_time(now(), "-mon"), "%Y-%m-%dT%H:%M:%SZ"), "1 Month") 
    | eval 1_week_ago = case( last_seen < strftime(relative_time(now() "-2mon"), "%Y-%m-%dT%H:%M:%SZ"), "2 Month")

Now: 7/12/19 10:30:00.000 AM
I need search first case in interval of time 7/8/19 00:00:00.000 AM - 7/9/19 00:00:00.000 AM
The second case in interval of time 7/1/19 00:00:00.000 AM - 7/2/19 00:00:00.000 AM

How it's possible ?

With search parameter earliest and latest it's impossible,

index=en_amp_api earliest=@w1 latest=@w2

because the search work only on first case.
That's why I try something this to do earliest and latest as variables.

woodcock · ‎07-11-2019

To answer your question, see here:
https://answers.splunk.com/answers/689333/earliest-is-the-maxtimestamp-from-an-inputlookup.html
But that is overkill, just do this:

index=en_amp_api earliest=-h@w1 latest=-h@w1+24h@h

malear_ion · ‎07-11-2019

I need to change values: earliest and latest in different cases, so I can not set the search parameters after the index .
I need to change by setting the higher or lower value, search for different cases runs at the time indicated by earliest and latest.

woodcock · ‎07-15-2019

Give us TWO FULL examples of what you are trying to do starting with the raw event data and ending with a mockup of the final results, with detailed pseudocode descriptions of the steps required. I have no idea what you mean by this comment. It very much seems like you are going about this completely the wrong way.

woodcock · ‎07-11-2019

What is it with pictures lately? I wish answers would disable that. We need your raw text so that we can work with it.

malear_ion · ‎07-11-2019

Sorry, I understand
I will make changes !

Vijeta · ‎07-11-2019

@malear_ion Do you have any earliest and latest field in your index en_amp_api ?

malear_ion · ‎07-11-2019

No, is a replacement of search parameters

malear_ion · ‎07-11-2019

For example :

index=en_amp_api earliest=@w1 latest=@w2 | table hostname, last_seen

It's the same !

How to export results from makeresult in query body ?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor