I have a summary index that is holding lead information. One of the data points I created was the numeric day the lead was inserted for easy searching.
So some of the data looks like:
_time="2016-01-01 00:00:00" id=12345 name="Bill" day=4 etc...
I want to search where day is equal to today's day. For today, it would be Thursday so day=4 in this case.
The following are searches that I have done to get at the information and what they returned:
Search 1: index=summary title=lead_summary day=4
Return: Results I would expect.
Search 2: index=summary title=lead_summary day=strftime(now(),"%w")
Return: __No results found.__
Search 3: index=summary title=lead_summary | where day=strftime(now(),"%w")
Return: Results I would expect.
Search 4: index=summary title=lead_summary | eval days=strftime(now(),"%w") | where day=days
Return: Results I would expect.
I have already checked that the day column is set properly. Why am I getting no results for search 2? Search 1 grabs exactly what I need and only looks at what I need. Searches 3 and 4 go through __all__ the data in question to get the information I need, too slow. Search 2 should work but doesn't. Again, what is going on?
P.S. I tried using tonumber() on the calculated day in the second search, just in case but it didn't work. It didn't change anything when I did that for the other searches.
↧