- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why do search results return nothing on a calculat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do search results return nothing on a calculated check?
I have a summary index that is holding lead information. One of the data points I created was the numeric day the lead was inserted for easy searching.
So some of the data looks like:
_time="2016-01-01 00:00:00" id=12345 name="Bill" day=4 etc...
I want to search where day is equal to today's day. For today, it would be Thursday so day=4 in this case.
The following are searches that I have done to get at the information and what they returned:
Search 1: index=summary title=lead_summary day=4
Return: Results I would expect.
Search 2: index=summary title=lead_summary day=strftime(now(),"%w")
Return: No results found.
Search 3: index=summary title=lead_summary | where day=strftime(now(),"%w")
Return: Results I would expect.
Search 4: index=summary title=lead_summary | eval days=strftime(now(),"%w") | where day=days
Return: Results I would expect.
I have already checked that the day column is set properly. Why am I getting no results for search 2? Search 1 grabs exactly what I need and only looks at what I need. Searches 3 and 4 go through all the data in question to get the information I need, too slow. Search 2 should work but doesn't. Again, what is going on?
P.S. I tried using tonumber() on the calculated day in the second search, just in case but it didn't work. It didn't change anything when I did that for the other searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search number 2 will never work because strftime is a function. It can only be used with eval and where commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
now() is also a function but when I search for _time less than now() it finds all events. Conversely, when I search for _time greater than now() it finds nothing, as expected.
So what "functions" can you use without where and eval? Obviously, now() is in that list.
Here is the complete list of functions for your reference:
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions
Notice in Date and Time functions section both strftime and now are both listed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I did tests with various functions in this list and it would appear that functions that take arguments will fail outright but the ones that don't will give.... unexpected results.
The following will all give the same answer:
index=summary title=lead_summary _time<now()
index=summary title=lead_summary _time<true()
index=summary title=lead_summary _time<false()
index=summary title=lead_summary _time<pi()
If you put greater than or you put equals to, they fail. This is an obvious bug since, at the very least, pi() shouldn't even be comparable to _time.
It would appear Iguinn is only partially right, but the documentation does not reflect that.
The documentation states,
You can use these functions with the eval, fieldformat, and where commands, and as part of evaluation expressions.
This does not state:
You must use those in eval, fieldformat, and where commands.
This should be clarified.
As I do not have the ability to make this the answer, hopefully, others will see this full and complete answer.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
