Splunk Search

When I use eval command to assign search to variable, why does it return "Error in 'eval' command: Fields cannot be assigned a boolean result"?

New2Splunk
Explorer

I have a simple search of a CSV file pulling back the latest timestamp:

source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

This returns the correct entry:

2017-05-22 08:13:58.169 US/Eastern

I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:

| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]

I get the error:

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). 

This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.

1 Solution

somesoni2
Revered Legend

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]

View solution in original post

somesoni2
Revered Legend

Your current syntax return string with field name as well (returns fileDatetime="Value") which causes eval to fail. To return just the value, try like this

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime | eval fileDatetime="\"".fileDatetime."\""| return $filedatetime]

OR (search is special keyword which will return just the value.

...| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as search | eval search ="\"".search."\""]

New2Splunk
Explorer

Thanks somesoni2! This does exactly what I need. And thanks for the explanation!

0 Karma

cmerriman
Super Champion

i would create a macro for this.
Go to Settings>Advanced search>Add new Search macros

Name=fileDateTime
Definition=source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime

then you can use that inside of a search by calling |fileDateTime
http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Definesearchmacros

0 Karma

New2Splunk
Explorer

Thanks for the answer, cmerriman! I wasn't aware of this option. Where I work it's a "learn just enough to get the job done" kind of environment, so I was working on the simple search option. But macros are definitely something I will look into because I have a lot of files to search, and a generic macro that I can feed the file name/location into as a parameter and get back the result will be a huge help. Thanks!

0 Karma

cmerriman
Super Champion

it's definitely a great option when you use the same search over and over with different arguments, especially if the search ever changes, you only have to change it in one place.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...