Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: The expression is malformed. An unexpected character is reached at `\"%Y-%m-%dT%H:%M:%SZ\"), \`

abhinav_go
Explorer
‎06-14-2024 12:42 AM

Hello team ,

I am trying to create macro and than use in my splunk dashboard . The purpose is to get time of entered input in dashboard (in only UTC standard) irrespective of user’s time setting in Splunk. 

My macro is :

[strftime_utc(2)]
args = field, format
definition = strftime($field$ - (strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%S%Z\")-strptime(strftime($field$, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"$format$\")

 and now my search looks like:

*My query* | eval utc_time=`strftime_utc(_time, "%Y-%m-%dT%H:%M:%SZ")`

So that always get the output in UTC standard only.

But I am getting below error:

 Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"%Y-%m-%dT%H:%M:%SZ\"), \"%Y-%m-%dT%H:%M:%SZ\") - strptime(strftime(_time, \"%Y-%m-%dT%H:%M:%S\"), \"%Y-%m-%dT%H:%M:%S\")), \"%Y-%m-%dT%H:%M:%SZ\"))'.

How can i resolve ?

Any help is appreciated.

Thanks

Labels (1)
Labels
0 Karma
Reply

abhinav_go
Explorer
‎06-18-2024 03:56 AM

Any suggestions by anyone or any query to suggest which I can use to leverage to convert and enforce user's input time to UTC time format only ?

0 Karma
Reply

glc_slash_it
Path Finder
‎06-14-2024 01:19 AM

I believe you don't have to escape the double quotes.

Check the examples in the docs:

https://docs.splunk.com/Documentation/Splunk/9.2.1/admin/macrosconf

0 Karma
Reply

abhinav_go
Explorer
‎06-14-2024 03:07 AM

Even after removing the escape character , still getting error, now as "Error in 'EvalCommand': The expression is malformed."

Updated query : 

strftime($field$ - (strptime(strftime($field$,"%Y-%m-%dT%H:%M:%SZ"),"%Y-%m-%dT%H:%M:%SZ") - strptime(strftime($field$,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%dT%H:%M:%S")),"$format$")

 

Also in "validation expression" while creating macro, i wrote   iseval=1

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...