Thanks for the answer, cmerriman! I wasn't aware of this option. Where I work it's a "learn just enough to get the job done" kind of environment, so I was working on the simple search option. But macros are definitely something I will look into because I have a lot of files to search, and a generic macro that I can feed the file name/location into as a parameter and get back the result will be a huge help. Thanks!
... View more
I have a simple search of a CSV file pulling back the latest timestamp:
source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime
This returns the correct entry:
2017-05-22 08:13:58.169 US/Eastern
I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:
| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]
I get the error:
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.
... View more
I have a very watered down search that pulls a string from a CSV file:
source="FILE.csv" host="HOSTSERVER" sourcetype="csv" "COLUMN NAME WITH SPACES IN CSV"="123" | table "COLUMN NAME WITH SPACES IN CSV"
Running this search returns a string as expected.
I would like to assign this value to a variable. The eval statement below is part of a larger search that builds a database query used in a dbxquery search:
eval STRINGBACK=[search source="FILE.csv" host="HOSTSERVER" sourcetype="csv" "COLUMN NAME WITH SPACES IN CSV"="123" | table "COLUMN NAME WITH SPACES IN CSV"]
When I try to run it, I get the error "Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). "
I did a tostring() on the STRINGBACK eval to see what is thought was coming back from the search, and it is "FALSE". I'm guessing I'm doing something pretty simple and foolish here to mess things up. Can anyone let me know what I am doing wrong? Thanks!
... View more