Splunk Cloud search query with variable does not return results

Question

I have a query that does not return results and shows no errors (the same with where and search command):

"ExtendedProperties.PrCode"="myProductName" 
| eval myversion="12.916"|  where "ExtendedProperties.ProductVersion"=myversion

The query without eval returns results:

"ExtendedProperties.PrCode"="myProductName" 
|  search "ExtendedProperties.ProductVersion"="12.916"

The product version last three digits are the month (September) and the day (16), my final goal is to extract them from the current date, using the now() function. This will remove the need to update the query every day. Unfortunately this query is also not returning results:

"ExtendedProperties.PrCode"="myProductName" 
| eval month = ltrim(tostring(strftime(now(),"%m")),"0") 
| eval day = strftime(now(),"%d") 
| eval version="12." + month + day 
| where "ExtendedProperties.ProductVersion"=version

Here is some sample data:

{"Timestamp":"2020-12-14T14:37:00.2662745Z","Categories":["someCategoryString"],"Metadata":["someMetadataString"],"ExtendedProperties":{"MachineId":"SomeMachineId","ProductVersion":"12.916","PrCode":"MyProductName","ProductType":"1","Type":"ProductUsed","Source":"SomeSourceString","SessionId":"SomeGuid","TimeStamp":"2020-12-14T14:36:56.7086819Z","Environment":"SomeEnvironment"}}

This returns results:

|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"="12.1219"

However, when I replace the string "12.1219" with the version variable that has the same value (at the end of the search), there are no results found:

|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"=version

The expected output is one record that contains the expected version (12.1219 for today).

warren warren · Accepted Answer · 2020-12-09T14:26:32

Don't use eval and where or eval and search

Put it in the initial search:

"ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.916"

Make Splunk do your work for you - and let it do it in the most efficient manner possible :)

EDIT reflecting question update:

Try something like this:

index=ndx "ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.*"
| eval monthday=strftime(now(),"%m%d")
| where match("ExtendedProperties.ProductVersion",monthday)

First, don't use two evals when one will do :)

Second, get to know the various functions and their arguments like strftime and common time formats. Or match

Splunk Cloud search query with variable does not return results

2 Answers

EDIT reflecting question update: