Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using a Macro to return the earliest time value

theouhuios
Motivator
‎07-14-2015 12:54 PM

Hello

I have drop-down acting like a timepicker. So when a user selects "Current Month", the $time$ (token for the drop down) is earliest=@mon latest=now(). Now I have to use this token and get the earliest value out to use it in a subsearch. I DON'T need the latest value from the token.

So I wrote a macro earliestevent(1) which does this and is set to eval-definition=true

earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)

Now I get the @mon as the value, but when I do earliest=earliestevent("earliest=@mon latest=now()") index=_internal (Somehow I am not able to place ` around the macro and get the format) it gives me 

Error in 'SearchParser': The definition of macro 'earliestevent(1)' is expected to be an eval expression that returns a string.

Not sure what mistake I am doing. It's my first time writing an eval- definition macro. Any ideas on where I might be wrong?

Tags (4)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-14-2015 01:05 PM

It is telling you that your macro must be a streaming portion of a search, not a complete search. In other words, whatever goes into a macro must be something that fits in a fuller search after a pipe ( | ) character. So your macro is nonsensical because it is not syntactically valid to do a search like this:

... | earliest= ...

I am not sure what you are trying to do exactly but this is one way to make your macro syntactically (but probably not calculatingly) valid:

append [search earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)]

This should be syntactically valid because append is valid after a pipe. Remember that you may only call a macro after a pipe like this:

... | `earliestevent("earliest=@mon latest=now()")`
0 Karma
Reply

theouhuios
Motivator
‎07-15-2015 05:09 AM

Thanks for the explanation. I understand where I am doing wrong. But is there a way that I can take a string like "earliest=@mon latest=now()" and get the output result as whatever the earliest value is and use it like 

...|join report_month [search earliest=`macro($arg$)` latest=`macro($arg$)`+1h@h index=blah ...]` ?
0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2015 09:15 AM

You can use addinfo, like this:

... | addinfo | join report_month [search earliest=info_min_time latest=info_max_time+3600 index=blah ...]

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/addinfo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...