Splunk Search

Valid iseval macro doesn't expand when used in "span="

Sloefke
Path Finder

Hi,

I have defined a macro that returns an amount of seconds with "s" appended to it, based on a start and end time. I want to use this macro to assign dynamic span values to a timechart.

This is my macro:

[get_timespan(2)]
args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1

When I test this in a dummy search, this query actually returns a table with "86400s" in each row:

bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span

So the macro works as expected and returns a value.

But when I try to invoke the macro in the span using this query:

bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count

I get an error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ".

It looks like it doesn't do the actual 'math' in the second query and just returns the macro definition, although it's an "iseval" macro. How can I get this to work?

0 Karma

ramdaspr
Contributor

one workaround would be to use an eval before the timechart command to resolve the macro and then use it on the span command

bla | eval tspan=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | timechart span=tchart ..
0 Karma

ramdaspr
Contributor

In which case your only option is to modify the search macro to result in the text "span=xxxxxx" instead of returning only the actual timespan.

An example is provided by martin
http://answers.splunk.com/answers/79779/passing-span-as-argument-to-timechart.html

0 Karma

Sloefke
Path Finder

Also a good idea, but assigning a variable to "span=" doesn't work either:

Error in 'timechart' command: The value for option span (tspan) is invalid. 

See also my other question on this forum: http://answers.splunk.com/answers/222954/how-to-pass-a-variable-to-timechart-span.html

0 Karma

ppablo
Retired

Hi @Sloefke

I just poked around the macros.conf documentation and saw that the iseval attribute format is supposed to be iseval = true/false, not iseval = 1/0. Could that be the problem?
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Macrosconf

0 Karma

Sloefke
Path Finder

Good idea, but unfortunately "1" and "true" both are valid options in the macros.conf file 😉
I tested it to be sure, same error.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...