Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

pradeepkumarg
Influencer
‎09-19-2014 08:08 AM

I'm trying to filter my data with the current day of week value using a macro. DAY_OF_WK is a field in my sourcetype

I get this error when trying below query with macro 

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

Query


index=my_index sourcetype=mysourcetype DAY_OF_WK=dayofwk(1)

Macro



    if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

Any idea on what I am doing wrong here?

Thanks,
Pradeep

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎09-19-2014 08:49 AM

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search 

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎09-19-2014 08:49 AM

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search 

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

Reply
Solved! Jump to solution

aweitzman
Motivator
‎09-19-2014 09:52 AM

I figured out your real problem. now() is not capable of being processed in a macro. See here:

http://answers.splunk.com/answers/4907/can-you-use-now-in-eval-based-macros.html

I tried making an eval-based macro using time() instead of now() as described in the above link, adding iseval=true, and using it as you wanted to use it above, and it worked fine. Give that a shot.

Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-19-2014 10:08 AM

Awesome.. worked like a champ. Thank you so much 🙂

0 Karma
Reply
Solved! Jump to solution

aweitzman
Motivator
‎09-19-2014 09:12 AM

Does my original query work if you uncheck the "Use eval-based definition" checkbox? If so, do that and structure your earlier query like this:

index=my_index sourcetype=mysourcetype | where DAY_OF_WK=`dayofwk(1)`

Yes, this is more inefficient. However, I have not figured out any way to get the macro to work with iseval = true (which is the equivalent of your checkbox).

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-19-2014 09:18 AM

Ahh, I removed iseval=true and it worked. But I'm unable to use it before the first pipe. If I have to use it after the pipe, I don't need a macro in first place.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎02-23-2024 07:34 PM

If you were to use iseval = 1. you must specify definition of the macro within double quotes "". Because Splunk is expecting string in the definition

example definition 

"round('$field$',$decimal$)"
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-19-2014 09:06 AM

even the eval after pipe | is not working for me | eval DAY=dayofwk(1). I get the same error. Even tried the same query which you mentioned above and it doesn't work

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-19-2014 08:54 AM

I'm configuring it through WEB, and yes "Use eval-based definition?" is checked. Is it because I want to substitute this even before first pipe "|" and you are doing it in eval in your search query? does that matter? I want to filter this before first pipe |

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...