- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using a Macro to return the earliest time value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using a Macro to return the earliest time value
Hello
I have drop-down acting like a timepicker. So when a user selects "Current Month", the $time$ (token for the drop down) is earliest=@mon latest=now(). Now I have to use this token and get the earliest value out to use it in a subsearch. I DON'T need the latest value from the token.
So I wrote a macro earliestevent(1) which does this and is set to eval-definition=true
earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)
Now I get the @mon as the value, but when I do earliest=earliestevent("earliest=@mon latest=now()") index=_internal (Somehow I am not able to place ` around the macro and get the format) it gives me
Error in 'SearchParser': The definition of macro 'earliestevent(1)' is expected to be an eval expression that returns a string.
Not sure what mistake I am doing. It's my first time writing an eval- definition macro. Any ideas on where I might be wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is telling you that your macro must be a streaming portion of a search, not a complete search. In other words, whatever goes into a macro must be something that fits in a fuller search after a pipe ( | ) character. So your macro is nonsensical because it is not syntactically valid to do a search like this:
... | earliest= ...
I am not sure what you are trying to do exactly but this is one way to make your macro syntactically (but probably not calculatingly) valid:
append [search earliest=-1m@m index=abc|stats count |append[|stats count|fields count|rename count as Time|eval Time="$time$"]|eventstats first(Time) as Time|rex field=Time "earliest\=(?P<earliest>\S+)"|dedup earliest|table earliest|eval earliest=tostring(earliest)]
This should be syntactically valid because append is valid after a pipe. Remember that you may only call a macro after a pipe like this:
... | `earliestevent("earliest=@mon latest=now()")`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the explanation. I understand where I am doing wrong. But is there a way that I can take a string like "earliest=@mon latest=now()" and get the output result as whatever the earliest value is and use it like
...|join report_month [search earliest=`macro($arg$)` latest=`macro($arg$)`+1h@h index=blah ...]` ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use addinfo, like this:
... | addinfo | join report_month [search earliest=info_min_time latest=info_max_time+3600 index=blah ...]
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/addinfo
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
