I have the following query that runs fine:
index=someindex original_index=someindex earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "%a %B %d %m")
| stats values(date_display) as date_determined
| return $date_determined
When I use this search as a subsearch like...
index=some_license_index earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "%a %B %d %m")
| stats values(date_display) as date_determined
| return $date_determined ]
| stats sum(bytes) as "License Usage" by original_source
...I get the following error:
Error in 'eval' command: The expression is malformed.
When I change it to...
index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600
| eval date_display = 1234
| stats values(date_display) as date_determined
| return $date_determined ]
| stats sum(bytes) as "License Usage" by original_source
...It works fine (note the eval in the subsearch)
The problem here is that your original subsearch returns a string value which has spaces and no enclosing double quotes, which when returned to eval and it fails. Your last search works as you're using a numerical value.
e.g. | eval test=1234
works but | eval test=Mon Apr 1 2019
will not.
If you've to return a string value, add a double quotes in the value in the subsearch, like this:
Updated
index=some_license_index earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "\"%a %B %d %m\"")
| stats values(date_display) as search ]
| stats sum(bytes) as "License Usage" by original_source
Also, do you always return hard-coded data value from the subsearch???
I get the following error.
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
Also, do you always return hard-coded data value from the subsearch???
No but I tried to give an easy example containing the problem.
What's your actual subsearch that you will be using?? Also, try the updated version.
@somesoni2 I think you missed the following eval before return:
| eval date_determined="\"".date_determined."\""
@sboogaar even if you have provided an example to return hard-coded value from subsearch, is it possible your subsearch will return multiple values? Is it values()
aggregate function that you need or something else which better suits your needs? Or else would you convert multi-value result to single value?