Hi folks, been all over this site and google, not finding a working solution.
I'm trying to perform a search using a subsearch to populate earliest=
| tstats min(_indextime) as firstTime, max(_indextime) as lastTime where earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | eval earli="-" . dy . "d@d" |fields earli ] index=syslog by index
| eval delta = (lastTime - firstTime) | eval yr = floor(delta/86400/365)| eval dy = (delta/86400) % 365 | eval actual_ret = yr . " years, " . dy . " days"
| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S"), firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | fields index, firstTime, lastTime, delta, actual_ret
| join index [| rest /services/admin/indexes splunk_server=localhost | eval yr = floor(frozenTimePeriodInSecs/86400/365)
| eval dy = (frozenTimePeriodInSecs/86400) % 365 | eval ret = yr . " years, " . dy . " days" | eval index=title
| stats avg(currentDBSizeMB) as currentDBSizeMB, avg(maxTotalDataSizeMB) as maxTotalDataSizeMB, max(frozenTimePeriodInSecs) as frozenTimePeriodInSecs, max(ret) by index
| eval pct_data=(currentDBSizeMB/maxTotalDataSizeMB) * 100] | eval pct_ret = (delta/frozenTimePeriodInSecs)*100
and get error
>Invalid value "(" for time term 'earliest'
Also tried subsearch
earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | fields dy ]
with same result. Both subsearches by themselves return correct results:
| rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | eval earli="-" . dy . "d@d" |fields earli
returns
-365d@d
and
| rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | fields dy
returns
365
How can I get the subsearch value to be used by "earliest="?
↧