Solved: Re: How do you transform a subsearch into a string...

pcatasus · ‎04-23-2020

I have a token I want to set up when I first init dashboard:
[stats count | eval search=strftime(now(), "mysearch%y%m%d%H%M%S.csv")]
But this gets interpreted dynamically throughout changing the name of the file. I just want to have a timestamp literal I can reuse. Been at it for a while using fieldformat, print, etc. Thanks!

manjunathmeti · ‎04-23-2020

You can init strftime(now(), "mysearch%y%m%d%H%M%S.csv") first then use it in the actual token.

<init>
    <eval token="filename">strftime(now(), "mysearch%y%m%d%H%M%S.csv")</eval>
    <set token="search">[stats count | eval search=$filename$]</set>
  </init>

View solution in original post

manjunathmeti · ‎04-23-2020

You can init strftime(now(), "mysearch%y%m%d%H%M%S.csv") first then use it in the actual token.

<init>
    <eval token="filename">strftime(now(), "mysearch%y%m%d%H%M%S.csv")</eval>
    <set token="search">[stats count | eval search=$filename$]</set>
  </init>

pcatasus · ‎04-23-2020

Worked like a charm! Thank you!

manjunathmeti · ‎04-24-2020

Please accept answer.

pcatasus · ‎04-24-2020

Sorry! Done.

How do you transform a subsearch into a string literal and not SPL?

token

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!