Splunk Search

When I use eval command to assign search to variable, why does it return "Error in 'eval' command: Fields cannot be assigned a boolean result"?

New2Splunk
Explorer

I have a simple search of a CSV file pulling back the latest timestamp:

source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

This returns the correct entry:

2017-05-22 08:13:58.169 US/Eastern

I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:

| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]

I get the error:

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). 

This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]

New2Splunk
Explorer

Thanks somesoni2! This does exactly what I need. And thanks for the explanation!

0 Karma

cmerriman
Super Champion

i would create a macro for this.
Go to Settings>Advanced search>Add new Search macros

Name=fileDateTime
Definition=source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

then you can use that inside of a search by calling |fileDateTime
http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Definesearchmacros

0 Karma

New2Splunk
Explorer

Thanks for the answer, cmerriman! I wasn't aware of this option. Where I work it's a "learn just enough to get the job done" kind of environment, so I was working on the simple search option. But macros are definitely something I will look into because I have a lot of files to search, and a generic macro that I can feed the file name/location into as a parameter and get back the result will be a huge help. Thanks!

0 Karma

cmerriman
Super Champion

it's definitely a great option when you use the same search over and over with different arguments, especially if the search ever changes, you only have to change it in one place.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...