1

I have a query that does not return results and shows no errors (the same with where and search command):

"ExtendedProperties.PrCode"="myProductName" 
| eval myversion="12.916"|  where "ExtendedProperties.ProductVersion"=myversion

The query without eval returns results:

"ExtendedProperties.PrCode"="myProductName" 
|  search "ExtendedProperties.ProductVersion"="12.916"

The product version last three digits are the month (September) and the day (16), my final goal is to extract them from the current date, using the now() function. This will remove the need to update the query every day. Unfortunately this query is also not returning results:

"ExtendedProperties.PrCode"="myProductName" 
| eval month = ltrim(tostring(strftime(now(),"%m")),"0") 
| eval day = strftime(now(),"%d") 
| eval version="12." + month + day 
| where "ExtendedProperties.ProductVersion"=version

Here is some sample data:

{"Timestamp":"2020-12-14T14:37:00.2662745Z","Categories":["someCategoryString"],"Metadata":["someMetadataString"],"ExtendedProperties":{"MachineId":"SomeMachineId","ProductVersion":"12.916","PrCode":"MyProductName","ProductType":"1","Type":"ProductUsed","Source":"SomeSourceString","SessionId":"SomeGuid","TimeStamp":"2020-12-14T14:36:56.7086819Z","Environment":"SomeEnvironment"}}

This returns results:

|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"="12.1219"

However, when I replace the string "12.1219" with the version variable that has the same value (at the end of the search), there are no results found:

|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"=version

The expected output is one record that contains the expected version (12.1219 for today).

K. B.
  • 1,356
  • 2
  • 14
  • 20

2 Answers2

1

Don't use eval and where or eval and search

Put it in the initial search:

"ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.916"

Make Splunk do your work for you - and let it do it in the most efficient manner possible :)

EDIT reflecting question update:

Try something like this:

index=ndx "ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.*"
| eval monthday=strftime(now(),"%m%d")
| where match("ExtendedProperties.ProductVersion",monthday)

First, don't use two evals when one will do :)

Second, get to know the various functions and their arguments like strftime and common time formats. Or match

warren
  • 28,486
  • 19
  • 80
  • 115
  • Thank you for your time. I want to achieve a more complex search and I cannot realize why this more basic one is not working. Maybe I do something wrong with variable declaration? Could you please tell me what would be the correct syntax if a variable is used? – K. B. Dec 09 '20 at 14:50
  • @K.B. - what are you *actually* trying to accomplish? – warren Dec 09 '20 at 15:10
  • I added the query that is my final goal in my question. I want to take the month and the day from the current date, and then pass it as a part of the product version variable so that I do not have to update the query every day. – K. B. Dec 09 '20 at 15:31
  • Thank you for the information, unfortunately the suggested query also does not return results. – K. B. Dec 11 '20 at 17:22
  • @K.B. - if this isn't working, *and* your search isn't working ... then I suspect you have missed something about the data ... because I can only go off what you've shared. Please share some sample data so that we can help you better :) – warren Dec 11 '20 at 18:38
  • I added sample data, thank you. – K. B. Dec 18 '20 at 07:33
0

I found that if the field is not extracted properly, the query can return no results. So with this query, the results are shown as expected:

|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day | rex "ProductVersion[\\\":]*(?<ExtractedProductVersion>[^\\\":]*)" | where ExtractedProductVersion=version
K. B.
  • 1,356
  • 2
  • 14
  • 20