Splunk Search

Use strftime eval in same query

jsmithn
Path Finder

I am trying to create a search that evaluates today's date and uses that output string/field as part of the search:

**sourcetype=named | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | search nowstr**

The unique string needed is "(serial 2019102402)" and I've confirmed the field "nowstr" is that exact string. I think I need a subsearch but cannot get it working:

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | table nowstr ]

LOG EVENT

HOSTNAME named[32473]: 24-Oct-2019 09:00:10.656 notify: info: zone example.com/IN: sending notifies (serial 2019102402)

0 Karma
1 Solution

jsmithn
Path Finder

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults
| eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)"
| map search="search index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=named $nowstr$"
0 Karma

jsmithn
Path Finder

sourcetype=named
[ | gentimes start=-1 | eval nowstr="(serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr ] "(serial"

Not really sure what's happening but it works. Thanks to tiagofbmm for moving it along. Can replace "gentimes start=-1" with "makresults" but unknown if one is better.

0 Karma

tiagofbmm
Influencer

You can use a subsearch of makeresults. You apply your eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" within the makeresults and do a return $nowstr.

In the end something like this:

Search sourcetype=named [ | makeresults | eval nowstr="serial ".strftime(now(), "%Y%m%d")."02)" | return $nowstr]

Let me know

jsmithn
Path Finder

Trying that "Error in 'search' command: Unable to parse the search: unbalanced parentheses.". But I did not know about the return command, using that I was able to get it to work. There's likely a better, more elegant solution, but it returns the results expected! 🙂

0 Karma

jsmithn
Path Finder

Also works with either "makeresults" or "gentimes start=-1". I don't know the difference, if one is better (more economical for search).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why do you think you need a subsearch? How is the first query failing you?
Does 'nowstr' contain quotes? If not, that may explain the failure.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jsmithn
Path Finder

I think that because of other posts in the community, seems like a subsearch is the way to accomplish what I want. The first query does not yield any results. 'nowstr' is defined by my statement above. Using today's date, its value is (serial 2019102402). No quotes.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...