Solved: Converting @d for eval command

kunwarjit · ‎12-02-2019

I am trying to use the token passed through the time input in a dashboard to a search query. In this specific example, I am trying to do the following

|eval date=strptime($timepicker.latest$,"%H:%M")

If I select the default time as 'today' or 'yesterday', the value for timepicker is sent as @d and the eval command cannot extract the hour and minute, rather, it fails with the following

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@d,"%H:%M")'. How can I pass through the timepicker token as a converted epoch formatted time.

kamlesh_vaghela · ‎12-03-2019

@kunwarjit

Here I suggest to use addinfo search command. You will get time boundary as fields in epochtime. So you can use directly as per your need.

info_min_time : The earliest time boundary for the search.
info_max_time The latest time boundary for the search.

| makeresults | addinfo |eval date=strftime(info_max_time,"%H:%M")

https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Addinfo

Thanks

View solution in original post

woodcock · ‎12-03-2019

Coincidentally enough, code was just posted for this a few days ago here (be sure to UpVote:
https://answers.splunk.com/answers/786365/can-some-one-explain-me-the-function-of-the-below.html#ans...

kamlesh_vaghela · ‎12-03-2019

@kunwarjit

Here I suggest to use addinfo search command. You will get time boundary as fields in epochtime. So you can use directly as per your need.

info_min_time : The earliest time boundary for the search.
info_max_time The latest time boundary for the search.

| makeresults | addinfo |eval date=strftime(info_max_time,"%H:%M")

https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Addinfo

Thanks

kunwarjit · ‎12-03-2019

Thanks, works like a charm!

Converting @d for eval command

How I Instrumented a Rust Application Without Knowing Rust

Splunk Community Platform Survey

Observability Highlights | November 2022 Newsletter