Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inconsistency in eval behavior

immortalraghava
Path Finder
‎02-22-2018 03:42 AM

I have a sample search with an eval statement which works, 

index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp

But when I try to add the same to a macro, it doesn't work. 

[find_current_min]
definition = strftime(now(),"%M")
iseval = 1

I get the following error when I try to call the macro `find_current_min`

alt text

Please explain this strange behavior.

Any help appreciated.

Thanks

Preview file
13 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

immortalraghava
Path Finder
‎06-28-2018 07:23 AM

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

immortalraghava
Path Finder
‎06-28-2018 07:23 AM

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-22-2018 07:04 AM

I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1 to iseval = 0.

As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2018 04:36 AM

hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.

Only for my curiosity, why you need the now minute?

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...