Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When I use eval command to assign search to variable, why does it return "Error in 'eval' command: Fields cannot be assigned a boolean result"?

New2Splunk
Explorer
‎05-22-2017 10:04 AM

I have a simple search of a CSV file pulling back the latest timestamp:

source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

This returns the correct entry:

2017-05-22 08:13:58.169 US/Eastern

I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:

| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]

I get the error:

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2017 10:22 AM

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-22-2017 10:22 AM

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]
Reply
Solved! Jump to solution

New2Splunk
Explorer
‎05-22-2017 10:33 AM

Thanks somesoni2! This does exactly what I need. And thanks for the explanation!

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎05-22-2017 10:21 AM

i would create a macro for this.
Go to Settings>Advanced search>Add new Search macros

Name=fileDateTime
Definition=source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

then you can use that inside of a search by calling |fileDateTime
http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Definesearchmacros

0 Karma
Reply
Solved! Jump to solution

New2Splunk
Explorer
‎05-22-2017 10:37 AM

Thanks for the answer, cmerriman! I wasn't aware of this option. Where I work it's a "learn just enough to get the job done" kind of environment, so I was working on the simple search option. But macros are definitely something I will look into because I have a lot of files to search, and a generic macro that I can feed the file name/location into as a parameter and get back the result will be a huge help. Thanks!

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎05-22-2017 10:40 AM

it's definitely a great option when you use the same search over and over with different arguments, especially if the search ever changes, you only have to change it in one place.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...