https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18279#M2634 <P>Does it work if you use strftime() instead of tostring()?</P> Thu, 22 Jul 2010 05:59:59 GMT gkanapathy 2010-07-22T05:59:59Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18278#M2633 <P>Is it possible to use the <CODE>now()</CODE> function in an macro? And if so, are there any specific limitations?</P> <P>&lt;p&gt;Example macro:&lt;/p&gt;</P> <PRE><CODE>[test_macro] definition = tostring(now()) iseval = 1 </CODE></PRE> <P>Trying to use this macro returns the following error message on the search screen:</P> <PRE><CODE>Error in 'SearchParser': The definition of macro 'test_macro' is expected to be an eval expression that returns a string. </CODE></PRE> <P><STRONG>Update:</STRONG> For the purpose of demonstration, here are other macro definitions I tried when attempting to track this down:</P> <PRE><CODE>[test_macro] definition = now() iseval = 1 [test_macro] definition = strftime((now(), "%H:%M") iseval = 1 [test_macro] definition = a_non_existant_function() iseval = 1 </CODE></PRE> <P>I see the same error message for all of these different macros.</P> <P>This last test makes me think that the within the context of a macro, splunk sees <CODE>now()</CODE> just like "a_non_existant_function()" (which obviously doesn't exist). It would be nice to get a more specific error message saying that the eval is invalid because of a non-existing function.</P> Mon, 28 Sep 2020 09:10:31 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18278#M2633 Lowell 2020-09-28T09:10:31Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18279#M2634 <P>Does it work if you use strftime() instead of tostring()?</P> Thu, 22 Jul 2010 05:59:59 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18279#M2634 gkanapathy 2010-07-22T05:59:59Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18280#M2635 <P>No using <CODE>strftime()</CODE> doesn't make a difference. I've added a few more examples of things I've tried to my question. Seems like "now()" is unknown within the eval-based macro expansion.</P> Thu, 22 Jul 2010 22:23:09 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18280#M2635 Lowell 2010-07-22T22:23:09Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18281#M2636 <P>Looks like a bug.</P> Thu, 22 Jul 2010 23:13:11 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18281#M2636 gkanapathy 2010-07-22T23:13:11Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18282#M2637 <P>I opened a case with splunk support. Thanks.</P> Fri, 23 Jul 2010 01:40:29 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18282#M2637 Lowell 2010-07-23T01:40:29Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18283#M2638 <P>Are you sure you want an eval-based definition? What is your use case?</P> <P>If you want a macro that just evals to a string that represents the current time, use <CODE>time()</CODE> instead of <CODE>now()</CODE></P> <P><CODE>time()</CODE> is the wall clock time. <CODE>now()</CODE> is the "nominal" start time of the search. For example, the scheduler may run a search that is supposed to start at 2PM but really started at 2:15pm, <CODE>now()</CODE> would still be 2pm)</P> <P>Therefore, <CODE>now()</CODE> relys on run-time search info, which is not available for macro expansion. A macro needs to be able to be expanded outside the scope of a particular search.</P> <P>There's some functions that are available in the eval command that are not available for eval-based macros. These include:</P> <PRE><CODE>now() searchmatch() mvindex() mvcount() mvjoin() commands() split() mvappend() </CODE></PRE> <P>Basically, any function that needs manipulates search-search-result specific information (e.g., multi-value fields, the search that was run, etc)</P> Fri, 23 Jul 2010 04:30:14 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18283#M2638 steveyz 2010-07-23T04:30:14Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18284#M2639 <P>Note that none of this applies if you aren't using an eval-based definition. Simple definitions are just doing text replacement, so anything goes.</P> Fri, 23 Jul 2010 04:31:26 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18284#M2639 steveyz 2010-07-23T04:31:26Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18285#M2640 <P>Thanks, that answers my question. I was guessing that the answer had something to do with runtime search info. FYI, my use case is here: <A href="http://answers.splunk.com/questions/4528/finding-your-local-timezone-with-eval/4909#4909">http://answers.splunk.com/questions/4528/finding-your-local-timezone-with-eval/4909#4909</A>.</P> Mon, 02 Aug 2010 22:11:38 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18285#M2640 Lowell 2010-08-02T22:11:38Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18286#M2641 <P>Is <CODE>mvappend()</CODE> new function? Its not in the docs, but I had submitted a feature request for such a function)</P> Mon, 02 Aug 2010 22:12:50 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18286#M2641 Lowell 2010-08-02T22:12:50Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18287#M2642 <P>yes mvappend() is new to 4.1+</P> Tue, 03 Aug 2010 03:38:26 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18287#M2642 steveyz 2010-08-03T03:38:26Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18288#M2643 <P>An eval based macro must return a string.<BR /> tostring(now()) is not a string ... dough ! <BR /> you need to ensapsulate it with double quotes<BR /> <CODE>[macronow]<BR /> definition = "tostring(now())"<BR /> iseval = 1</CODE></P> <P>To test with<BR /> <CODE>|makeresults count=2 |eval show=strftime(<CODE>macronow</CODE>,"%D %T")</CODE></P> Tue, 30 Oct 2018 12:47:27 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/18288#M2643 ldongradi_SPL 2018-10-30T12:47:27Z https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/678557#M232036 <P>you are 200% correct.&nbsp;<BR />to use iseval = 1&nbsp;<BR />we must specify the definition within double quotes.&nbsp;</P> Sat, 24 Feb 2024 03:31:46 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-use-now-in-eval-based-macros/m-p/678557#M232036 thambisetty 2024-02-24T03:31:46Z