I have defined a macro that returns an amount of seconds with "s" appended to it, based on a start and end time. I want to use this macro to assign dynamic span values to a timechart.
This is my macro:
[get_timespan(2)] args = e, l definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\"" iseval = 1
When I test this in a dummy search, this query actually returns a table with "86400s" in each row:
bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span
So the macro works as expected and returns a value.
But when I try to invoke the macro in the span using this query:
bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count
I get an error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ".
It looks like it doesn't do the actual 'math' in the second query and just returns the macro definition, although it's an "iseval" macro. How can I get this to work?
one workaround would be to use an eval before the timechart command to resolve the macro and then use it on the span command
bla | eval tspan=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | timechart span=tchart ..
In which case your only option is to modify the search macro to result in the text "span=xxxxxx" instead of returning only the actual timespan.
An example is provided by martin
Also a good idea, but assigning a variable to "span=" doesn't work either:
Error in 'timechart' command: The value for option span (tspan) is invalid.
See also my other question on this forum: http://answers.splunk.com/answers/222954/how-to-pass-a-variable-to-timechart-span.html
I just poked around the macros.conf documentation and saw that the iseval attribute format is supposed to be
iseval = true/false, not
iseval = 1/0. Could that be the problem?