I have a query that does not return results and shows no errors (the same with where and search command):
"ExtendedProperties.PrCode"="myProductName"
| eval myversion="12.916"| where "ExtendedProperties.ProductVersion"=myversion
The query without eval returns results:
"ExtendedProperties.PrCode"="myProductName"
| search "ExtendedProperties.ProductVersion"="12.916"
The product version last three digits are the month (September) and the day (16), my final goal is to extract them from the current date, using the now() function. This will remove the need to update the query every day. Unfortunately this query is also not returning results:
"ExtendedProperties.PrCode"="myProductName"
| eval month = ltrim(tostring(strftime(now(),"%m")),"0")
| eval day = strftime(now(),"%d")
| eval version="12." + month + day
| where "ExtendedProperties.ProductVersion"=version
Here is some sample data:
{"Timestamp":"2020-12-14T14:37:00.2662745Z","Categories":["someCategoryString"],"Metadata":["someMetadataString"],"ExtendedProperties":{"MachineId":"SomeMachineId","ProductVersion":"12.916","PrCode":"MyProductName","ProductType":"1","Type":"ProductUsed","Source":"SomeSourceString","SessionId":"SomeGuid","TimeStamp":"2020-12-14T14:36:56.7086819Z","Environment":"SomeEnvironment"}}
This returns results:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"="12.1219"
However, when I replace the string "12.1219" with the version variable that has the same value (at the end of the search), there are no results found:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"=version
The expected output is one record that contains the expected version (12.1219 for today).
I found that if the field is not extracted properly, the query can return no results. So with this query, the results are shown as expected:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day | rex "ProductVersion[\\\":]*(?<ExtractedProductVersion>[^\\\":]*)" | where ExtractedProductVersion=version