Splunk Search

Inconsistency in eval behavior

Path Finder

I have a sample search with an eval statement which works,

index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp

But when I try to add the same to a macro, it doesn't work.

[find_current_min]
definition = strftime(now(),"%M")
iseval = 1

I get the following error when I try to call the macro `findcurrentmin`

alt text

Please explain this strange behavior.

Any help appreciated.

Thanks

0 Karma
1 Solution

Path Finder

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

0 Karma

Path Finder

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

0 Karma

I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1 to iseval = 0.

As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."

0 Karma

Legend

hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.

Only for my curiosity, why you need the now minute?

Bye.
Giuseppe

0 Karma