- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Adding a date to a string Message
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create an error message based on a time frame, the last 15 min. and now. So the error message would say,
"Client Missed file between 15:15:00 - 15:30:00"
The times are calculated at the time of the search and the following search below fails as "Error in 'eval' command: Typechecking failed. '+' only takes two strings or two numbers."
| eval 15MinEarly=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S")
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + 15MinEarly + " - " Now
How do you convert the two times to string so I can concatenate them into the error message?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@griffinpair,
Is it ok for you to change the variable name from 15MinEarly to MinEarly_15? Also change your search to add + to the last "Now"
| eval MinEarly_15=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S")
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + MinEarly_15 + " - " + Now
Looks like splunk is bit confused to see the variables starting with digits 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@griffinpair,
Is it ok for you to change the variable name from 15MinEarly to MinEarly_15? Also change your search to add + to the last "Now"
| eval MinEarly_15=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S")
| eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S")
| eval ErrorMessage = "Client Missed file between: " + MinEarly_15 + " - " + Now
Looks like splunk is bit confused to see the variables starting with digits 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was exactly the problem. Thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use . for concatenation of strings
| eval 15MinEarly=strftime(relative_time(now(), "-15m"), "%m/%d/%Y %H:%M:%S") | eval Now=strftime(now(), "%m/%d/%Y %H:%M:%S") | eval ErrorMessage = "Client Missed file between: " .15MinEarly ." - ".Now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the following error:
⚠ Error in 'eval' command: The expression is malformed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are your fields 15MinEarly and Now working? try
| table 15MinEarly Now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Both fields return expected values.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
