Solved: transforms.conf INGEST_EVAL cannot get current tim...

season88481 · ‎07-07-2020

Hi everyone,

I am trying to add a field for the current OS time.

Here is my props.conf and transforms.conf

#props.conf
[mysourcetype]
TRANSFORMS-getdate = get-current-date

#transforms.conf
[get-current-date]
INGEST_EVAL = current_date=now()

But I have this error:

ERROR regexExtractionProcessor - Error compiling INGEST_EVAL expression for get-current-date: Bad function

Is it a bug?

Cheers,

S

season88481 · ‎07-08-2020

Thanks richgalloway,

I found out using time() instead of now() can do the trick.

#props.conf
[mysourcetype]
TRANSFORMS-gettime = get-time-only

#transforms.conf
[get-time-only]
INGEST_EVAL = current_date=time()

View solution in original post

richgalloway · ‎07-08-2020

I suspect it is not a bug. Submit feedback at https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/IngestEval requesting a list of allowed functions in INGEST_EVAL.
As a workaround, consider using the existing _index_time field in place of current_date.

---
If this reply helps you, Karma would be appreciated.

season88481 · ‎07-08-2020

Thanks richgalloway,

I found out using time() instead of now() can do the trick.

#props.conf
[mysourcetype]
TRANSFORMS-gettime = get-time-only

#transforms.conf
[get-time-only]
INGEST_EVAL = current_date=time()

transforms.conf INGEST_EVAL cannot get current time

fields

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?