Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

transforms.conf INGEST_EVAL cannot get current time

season88481
Contributor
‎07-07-2020 07:00 PM

Hi everyone,

 

I am trying to add a field for the current OS time. 

 

Here is my props.conf and transforms.conf

 

#props.conf
[mysourcetype]
TRANSFORMS-getdate = get-current-date
#transforms.conf
[get-current-date]
INGEST_EVAL = current_date=now()

 

 

But I have this error:

 

ERROR regexExtractionProcessor - Error compiling INGEST_EVAL expression for get-current-date: Bad function

 

 

Is it a bug?

 

Cheers,

S

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

season88481
Contributor
‎07-08-2020 03:27 PM

Thanks richgalloway,

 

I found out using time() instead of now() can do the trick.

#props.conf
[mysourcetype]
TRANSFORMS-gettime = get-time-only

 

#transforms.conf
[get-time-only]
INGEST_EVAL = current_date=time()

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 06:29 AM
I suspect it is not a bug. Submit feedback at https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/IngestEval requesting a list of allowed functions in INGEST_EVAL.
As a workaround, consider using the existing _index_time field in place of current_date.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

season88481
Contributor
‎07-08-2020 03:27 PM

Thanks richgalloway,

 

I found out using time() instead of now() can do the trick.

#props.conf
[mysourcetype]
TRANSFORMS-gettime = get-time-only

 

#transforms.conf
[get-time-only]
INGEST_EVAL = current_date=time()
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...