I've ran out of GoogleFu, so if anyone can point me in the right direction or a better term or two to Google... I'm trying to figure out Splunk SPL syntax to search 4 different fields for the same value, any match in the four fields wins, with out searching every field for the TERM(<IP>).
index="main" packets_out>0 action="allowed" TERM(192.168.2.1)
| fields src_ip, dest_ip, dest_translated_ip, src_translated_ip,packets_out
| head 10
These will always be constant: index="main" packets_out>0 action="allowed"
The IP will be the only variable that will change and I'm trying to make it as simple as possible for others to "open search, change 1 IP, click go".
This works as is, but once I try to search against prod with 2000 devices.. I'm expecting my query time will not be 1 second anymore, even with using "Fast Mode" search. I've reduced the 4 second query time to 1. Along with the size of data queried with this already, in my home lab, but I don't think this is going to scale very well.
Is there a better way to do this, besides plugging in 10-20 device names into the query like this? I would rather not have static device names, so if someone "forgets" to update the query; I'll get blamed for the external IP overlap issue.
index="main" packets_out>0 action="allowed" TERM(192.168.2.1) dvc_name="firewall1" OR dvc_name="firewall2" <*18>
| fields src_ip, dest_ip, dest_translated_ip, src_translated_ip,packets_out
| head 10
Raw log if needed:
Apr 7 23:59:55 192.168.2.1 Apr 7 23:59:55 wall 1,2021/04/07 23:59:54,012801092758,TRAFFIC,end,2560,2021/04/07 23:59:54,192.168.2.189,173.194.219.94,10.10.10.2,173.194.219.94,web_access_out-1,,,quic,vsys1,trust,untrust,ethernet1/8,ethernet1/2,splunk,2021/04/07 23:59:54,2004,1,53384,443,59427,443,0x400050,udp,allow,5528,2350,3178,15,2021/04/07 23:57:53,1,any,0,5261883,0x0,192.168.0.0-192.168.255.255,United States,0,6,9,aged-out,0,0,0,0,,wall,from-policy,,,0,,0,,N/A,0,0,0,0,f863e426-7e87-4999-b5cb-bc6dc38d788f,0,0,,,,,,,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-04-07T23:59:55.282-04:00,,
Thanks,
Use OR:
index=ndx sourcetype=srctp (fieldA="myval" OR fieldB="myval" OR fieldC="myval")
Parenthesis added for clarity/readability
I'm trying to get to work a query where I need all the properties, whose payments expired in X number of days. X is defined by the property's community, what I have right now is the following:
Property.joins(:community).joins(:payments).where("payments.expiration_date = current_date + interval communities.sms_defaulting_days + ' days'")
Which is not working, as it does not recognize communities (I believe it's a parsing issue), the error I get is:
PG::SyntaxError: ERROR: syntax error at or near "communities"
which makes sense to me.
What I'm trying to achieve is that the last part of the query should look like this:
payments.expiration_date = current_date + interval '2 days'
And I'd get the 2 from "community.sms_defaulting_days"
Another way to think about it is "expiration_date = 2.days.from_now", but I still have the same problem, as I do not know how to make it work dynamically.
Try to write the code as :
Property.joins(:community)
.joins(:payments)
.where("payments.expiration_date = current_date + (communities.sms_defaulting_days || ' days')::interval")
I'm working on a project with a rails api and an iOS client, using the updated_at field as the reference to detect modifications on the server that happened after the last pull from the client.
The updated_at datetime has a precision in milliseconds, meaning that
Model.updated_at.to_f
returns something like "1368977381.063427".
This is sent to the client formatted as "2013-05-19T15:29:41.063427000Z".
The trouble is, when I get that datetime back from the client, parse it and query with it, the milliseconds are lost.
last_update = DateTime.strptime("2013-05-19T15:29:41.063427000Z", "%Y-%m-%dT%H:%M:%S.%N%z")
Model.where("updated_at > ?", last_update)
is as good as doing
last_update = DateTime.strptime("2013-05-19T15:29:41Z", "%Y-%m-%dT%H:%M:%S%z")
Model.where("updated_at > ?", last_update)
As a result, I always get at least one result when I should get none, because the milliseconds are truncated.
How can I take those into account in my query ?
Try
Model.where("updated_at > ?", last_update.strftime("%Y-%m-%dT%H:%M:%S.%N%z"))
You can also set this format as the standard format for DateTime in databases by setting (i.e. in an initiallizer):
Time::DATE_FORMATS[:db]= '%Y-%m-%dT%H:%M:%S.%N%z'
then your original query works again:
Model.where("updated_at > ?", last_update)
See the Rails API for DateTime.to_s (aka .to_formated_s)
If you're using the ISO8601 standard you can use .iso8601(10). Don't know why but it rounds to seconds by default.
I'm using GeoCoder in my application. Now I need to search for objects in my database which are close to a position OR have specific attribute set. I would like to perform this action in one database query, because the database is realy huge.
I would like to have something like
Spot.near([lat,long],distance).where("visited = ?",true).
The distance and the visited attribute should be combined with an OR, not with an AND.
Does anyone have an idea how to do this?
Thank you!
Based off of this answer, you should be able to do something like:
near = Spot.near([lat, long], distance)
visited = Spot.where(visited: true)
near = near.where_values.reduce(:and)
visited = visited.where_values.reduce(:and)
Spot.where(near.or(visited))
I'm in the process of upgrading a Rails application from Rails 4 to Rails 7 and ran into this problem. While I have no doubt Luke's suggestion worked in earlier versions, it doesn't work in Rails 7 (I'm currently running activerecord-7.0.3.1.
In my particular case, I am using the geocoder near() method to return results that are within a 20 mile radius of the query, but I also wanted to use OR conditions to return results where the query was similar to the text values in either the name or location columns from the items table in an attempt to return relevant items that haven't been assigned latitude and longitude values.
In Rails 4, my solution was:
select("items.*").near(q, 20, select: :geo_only).tap do |near_query|
near_query.where_values.last << sanitize_sql([" OR items.location LIKE ? OR items.name LIKE ?", "%#{q}%", "%#{q}%"])
end
In Rails/ActiveRecord 7, the where_values() method no longer exists. Searching for an alternate solution led me to this post. I wound up spending a fair amount of time perusing the latest ActiveRecord and Arel code for a solution. Here's what I came up with,
Rails 7 solution:
t = Item.arel_table
arel_geo_conditions = Item.near(q, 20).where_clause.ast # ast: Abstract Syntax Tree
Item.where(arel_geo_conditions.or(t[:location].matches("%#{q}%").or(t[:name].matches("%#{q}%"))))
Apparently it is impossible to provide the Changed Date field with a timestamp (format '2009-12-14 10:00:00') when defining a new Team Query. I get the error: "The query failed. You cannot supply a time with the date when running a query using date precision.".
Is there a workaround for this? I just want a list of work items which are changed since the last 'x' minutes.
The solution is to write your own WIQL query: http://teamfoundation.blogspot.com/2008/01/specifying-date-and-time-in-wiql.html.
You to enter the date in the same format as it is displayed by VSTS: dd-MMM-YY (01-Jan-16).
In order to filter your items in TFS by a specific date, stick to this format:
try adding query parameter timePrecision:true. This worked for me
I ran into the same problem while trying to query for the latest updates and worked around it by doing the following
// defined elsewhere
private DateTime lastUpdated;
string consult = "select * from WorkItem where [Created Date] > ' " + lastUpdated.ToString("MM/dd/yy") +
"' AND [Work Item Type] = 'Test Case'";
IEnumerable<ITestCase> tcc = testManagementTeamProject.TestCases.Query(consult).Where(tp => tp.DateCreated > lastUpdated);
I did something very similar for retrieving test results
The last parameter of this query constructor lets you define the precision:
dayPrecision
When TRUE, indicates that a DateTime should resolve to an entire day. Often, it is TRUE to avoid being more precise about a specific time.