Hi, I've been doing lots of study on this, and now I am stuck.. hoping to get some insight here. I'm an absolute noob on Splunk.
So when I type REGAVAIL on Splunk. it will show results like this:
10/5/16
1:48:41.067 PM
2016-10-05 13:48:41,067 INFO [com.shc.regional] (http-10.236.100.23-9680-52) 04651799000|55330|1|REGAVAIL|10072016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16
1:48:40.792 PM
2016-10-05 13:48:40,792 INFO [com.shc.regional] (http-10.236.100.23-9680-5) 02227653000|92040|1|REGAVAIL|10132016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16
1:48:40.295 PM
2016-10-05 13:48:40,295 INFO [com.shc.regional] (http-10.236.100.23-9680-40) 02294142000|02149|1|REGAVAIL|10082016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16
1:48:39.943 PM
2016-10-05 13:48:39,943 INFO [com.shc.regional] (http-10.236.100.23-9680-46) 07120390000|46268|1|REGAVAIL|10112016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
I want to be able to compare the dates "2016-10-05" and dates "10112016" <- (always come after REGAVAIL).
Now, what I have so far is this:
REGAVAIL | regex _raw="^(?P[^ ]+)(?:[^\|\n]*\|){4}(?P\d+)" | eval time_a=strftime(date1, "%m%d%Y") | eval time_b=strftime(date2, "%Y-%m-%d") | where time_b!= time_a
Splunk did not complain about syntax, but no results were found. Does anybody see any problem in my query??
... View more