Solved: Re: Inconsistency in eval behavior

immortalraghava · ‎02-22-2018

I have a sample search with an eval statement which works,

index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp

But when I try to add the same to a macro, it doesn't work.

[find_current_min]
definition = strftime(now(),"%M")
iseval = 1

I get the following error when I try to call the macro `find_current_min`

Please explain this strange behavior.

Any help appreciated.

Thanks

immortalraghava · ‎06-28-2018

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

immortalraghava · ‎06-28-2018

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

elliotproebstel · ‎02-22-2018

I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1 to iseval = 0.

As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."

gcusello · ‎02-22-2018

hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.

Only for my curiosity, why you need the now minute?

Bye.
Giuseppe

Inconsistency in eval behavior

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!