I have drop-down acting like a timepicker. So when a user selects "Current Month", the
$time$ (token for the drop down) is
earliest=@mon latest=now(). Now I have to use this token and get the earliest value out to use it in a subsearch. I DON'T need the latest value from the token.
So I wrote a macro earliestevent(1) which does this and is set to eval-definition=true
earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)
Now I get the
@mon as the value, but when I do
earliest=earliestevent("earliest=@mon latest=now()") index=_internal (Somehow I am not able to place ` around the macro and get the format) it gives me
Error in 'SearchParser': The definition of macro 'earliestevent(1)' is expected to be an eval expression that returns a string.
Not sure what mistake I am doing. It's my first time writing an eval- definition macro. Any ideas on where I might be wrong?
It is telling you that your macro must be a streaming portion of a search, not a complete search. In other words, whatever goes into a macro must be something that fits in a fuller search after a pipe (
| ) character. So your macro is nonsensical because it is not syntactically valid to do a search like this:
... | earliest= ...
I am not sure what you are trying to do exactly but this is one way to make your macro syntactically (but probably not calculatingly) valid:
append [search earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)]
This should be syntactically valid because
append is valid after a pipe. Remember that you may only call a macro after a pipe like this:
... | `earliestevent("earliest=@mon latest=now()")`
Thanks for the explanation. I understand where I am doing wrong. But is there a way that I can take a string like "earliest=@mon latest=now()" and get the output result as whatever the earliest value is and use it like
...|join report_month [search earliest=`macro($arg$)` latest=`macro($arg$)`+1h@h index=blah ...]` ?
You can use
addinfo, like this:
... | addinfo | join report_month [search earliest=info_min_time latest=info_max_time+3600 index=blah ...]