Solved: Error in macro "The definition of macro is expecte...

pradeepkumarg · ‎09-19-2014

I'm trying to filter my data with the current day of week value using a macro. DAY_OF_WK is a field in my sourcetype

I get this error when trying below query with macro

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

Query



index=my_index sourcetype=mysourcetype DAY_OF_WK=dayofwk(1)

Macro



    if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

Any idea on what I am doing wrong here?

Thanks,
Pradeep

aweitzman · ‎09-19-2014

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

View solution in original post

aweitzman · ‎09-19-2014

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

aweitzman · ‎09-19-2014

I figured out your real problem. now() is not capable of being processed in a macro. See here:

http://answers.splunk.com/answers/4907/can-you-use-now-in-eval-based-macros.html

I tried making an eval-based macro using time() instead of now() as described in the above link, adding iseval=true, and using it as you wanted to use it above, and it worked fine. Give that a shot.

pradeepkumarg · ‎09-19-2014

Awesome.. worked like a champ. Thank you so much 🙂

aweitzman · ‎09-19-2014

Does my original query work if you uncheck the "Use eval-based definition" checkbox? If so, do that and structure your earlier query like this:

index=my_index sourcetype=mysourcetype | where DAY_OF_WK=`dayofwk(1)`

Yes, this is more inefficient. However, I have not figured out any way to get the macro to work with iseval = true (which is the equivalent of your checkbox).

pradeepkumarg · ‎09-19-2014

Ahh, I removed iseval=true and it worked. But I'm unable to use it before the first pipe. If I have to use it after the pipe, I don't need a macro in first place.

pradeepkumarg · ‎09-19-2014

even the eval after pipe | is not working for me | eval DAY=dayofwk(1). I get the same error. Even tried the same query which you mentioned above and it doesn't work

pradeepkumarg · ‎09-19-2014

I'm configuring it through WEB, and yes "Use eval-based definition?" is checked. Is it because I want to substitute this even before first pipe "|" and you are doing it in eval in your search query? does that matter? I want to filter this before first pipe |

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor