I have a simple search of a CSV file pulling back the latest timestamp:
source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime
This returns the correct entry:
2017-05-22 08:13:58.169 US/Eastern
I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:
| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]
I get the error:
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.
Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this
...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]
OR (search is special keyword which will return just the value.
...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]
Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this
...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]
OR (search is special keyword which will return just the value.
...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]
Thanks somesoni2! This does exactly what I need. And thanks for the explanation!
i would create a macro for this.
Go to Settings>Advanced search>Add new Search macros
Name=fileDateTime
Definition=source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime
then you can use that inside of a search by calling |fileDateTime
http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Definesearchmacros
Thanks for the answer, cmerriman! I wasn't aware of this option. Where I work it's a "learn just enough to get the job done" kind of environment, so I was working on the simple search option. But macros are definitely something I will look into because I have a lot of files to search, and a generic macro that I can feed the file name/location into as a parameter and get back the result will be a huge help. Thanks!
it's definitely a great option when you use the same search over and over with different arguments, especially if the search ever changes, you only have to change it in one place.