https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187819#M54134 <P>Eval statements cannot contain subsearches. Try this instead:</P> <PRE><CODE>index=[redacted] sourcetype=[redacted] "[redacted]=[redacted]" | dedup "DATE" | sort +_time | head 1 | bucket _time span=1d | stats first(_time) as thedate | table thedate </CODE></PRE> Thu, 27 Aug 2015 14:46:58 GMT richgalloway 2015-08-27T14:46:58Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187817#M54132 <P>I'm trying to search by a specific date, so I wanted to return the date to an eval, but when I run it, I get the message: <CODE>Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'.</CODE></P> <P>This is the search I'm running: </P> <PRE><CODE>| eval thedate=[return index=[redacted] sourcetype=[redacted] "[redacted]=[redacted]" | dedup "DATE" | sort +_time | head 1 | bucket _time span=1d | stats first(_time) as _time] | table thedate </CODE></PRE> <P>-------------------------------------- EDIT: 8/27/15 9:49am --------------------------------------<BR /> So I realize now that I was using the return command incorrectly, here's what I'm getting now: </P> <PRE><CODE>| eval thedate=[search index=[redacted] sourcetype=[redacted] "[redacted]=[redacted]" | dedup "DATE" | sort +_time | head 1 | bucket _time span=1d | return _time] | table thedate </CODE></PRE> <P>But I'm still getting the error: <CODE>Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr])</CODE></P> Thu, 27 Aug 2015 14:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187817#M54132 sam_jacob 2015-08-27T14:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187818#M54133 <P>you can't perform an operation "as _time"</P> <P>you could do something like this:</P> <P>stats first(_time) as Time . . .</P> Thu, 27 Aug 2015 14:40:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187818#M54133 tskinnerivsec 2015-08-27T14:40:06Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187819#M54134 <P>Eval statements cannot contain subsearches. Try this instead:</P> <PRE><CODE>index=[redacted] sourcetype=[redacted] "[redacted]=[redacted]" | dedup "DATE" | sort +_time | head 1 | bucket _time span=1d | stats first(_time) as thedate | table thedate </CODE></PRE> Thu, 27 Aug 2015 14:46:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187819#M54134 richgalloway 2015-08-27T14:46:58Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187820#M54135 <P>Ohh okay, I didn't know that. I think I need rethink this search query. Thanks.</P> Thu, 27 Aug 2015 14:53:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187820#M54135 sam_jacob 2015-08-27T14:53:06Z https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187821#M54136 <P>The eval does accept subsearches, but you need return the value instead of the field using return $fieldname. See this runanywhere sample</P> <PRE><CODE>| gentimes start=-1 | eval temp=[| gentimes start=-1 | eval endhuman="\"".endhuman."\""| return $endhuman] </CODE></PRE> <P>Your query would look like this</P> <PRE><CODE>| eval thedate=[search index=[redacted] sourcetype=[redacted] "[redacted]=[redacted]" | dedup "DATE" | sort +_time | head 1 | bucket _time span=1d | return $_time] | table thedate </CODE></PRE> Thu, 27 Aug 2015 16:49:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-a-timestamp-to-an-eval/m-p/187821#M54136 somesoni2 2015-08-27T16:49:15Z