Solved: Check if first occurrence of event is today

wu_weidong · ‎12-05-2019

I'm trying to check if the first occurrence of an event is today using the query below. However, I keep getting result as "0", indicating that there was no match, even though some of the dates are the same.

mysearch | stats earliest(_time) as firstSeen by item | fieldformat firstSeen=strftime(firstSeen, "%d-%m-%Y") | eval today_date=strftime(now(), "%d-%m-%Y") | eval result=if(firstSeen=today_date, "1", "0")

All of my results are "0", even for entries like the one below.

item     firstSeen     today_date    result
ABC      06-12-2019    06-12-2019    0

I even tried to change the if-condition to firstSeen!=today_date just to see what happens, and my result is still all '0', even for those where the dates don't match. It doesn't seem like the if-condition is being evaluated.

What should I do?

shandr · ‎12-05-2019

Use eval instead of fieldformat.

That fieldformat command changes the appearance of the results without changing the underlying value of the field. Refer to https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Fieldformat

View solution in original post

shandr · ‎12-05-2019

Use eval instead of fieldformat.

That fieldformat command changes the appearance of the results without changing the underlying value of the field. Refer to https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Fieldformat

Check if first occurrence of event is today

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk