I have a sample search with an eval statement which works,
index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp
But when I try to add the same to a macro, it doesn't work.
[find_current_min]
definition = strftime(now(),"%M")
iseval = 1
I get the following error when I try to call the macro `find_current_min`
Please explain this strange behavior.
Any help appreciated.
Thanks
To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10
We achieved this by using time()
. now()
doesn't work with iseval =1
To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10
We achieved this by using time()
. now()
doesn't work with iseval =1
I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1
to iseval = 0
.
As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."
hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.
Only for my curiosity, why you need the now minute?
Bye.
Giuseppe