Using $starttime$ and $endtime$ in a macro with 'm...

phemmer · ‎05-15-2013

I am trying to create a macro which uses $startime$ and $endtime$ in a map. Whenever I do however I get the following error:

Error in 'map': Did not find value for required attribute 'starttime'.

Also this only happens if I specify a search time frame such as "Last 15 minutes". If I specify a custom time frame with specific beginning and end it works.

Here is the macro:

$search$ | localize timebefore=10s timeafter=10s | map search="search ( ($search$) OR ($filter$) ) starttimeu=$starttime$ endtimeu=$endtime$" | eval _raw=strftime(_time, "%T")." - "._raw | transaction maxpause=10s

The parameters are search and filter.

Additionally when I run the macro by hand, substituting the parameters, it works.

For example, this fails:

`surrounding("status>=500 status<=599", "error")`

But this works:

status>=500 status<=599 | localize timebefore=10s timeafter=10s | map search="search ( (status>=500 status<=599) OR (error) ) starttimeu=$starttime$ endtimeu=$endtime$" | eval _raw=strftime(_time, "%T")." - "._raw | transaction maxpause=10s

sowings · ‎05-16-2013

When I had to pass a field through to the map command like this (note: as part of saved search!), I had to double the dollar signs:

Maybe doubling the dollar signs can help you?

phemmer · ‎05-16-2013

No joy, still gives the same error :-(. Thanks though.

reed_kelly · ‎06-25-2018

Unrelated, but that worked for me when adding a map command (with substitutions) to a dashboard. 🙂

kml_uvce · ‎05-15-2013

you are not passing $starttime$ and $endtime$ as arguments in macro call...

-Kamal Bisht

phemmer · ‎05-16-2013

You are correct, because they are not arguments. See documentation on map and localize.

Using $starttime$ and $endtime$ in a macro with 'map'

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!