Hi,
Is this command not valid.
index=batch | eval newField = lower(strftime(strptime("2014-oct" + "01","%Y-%b%d"),"regular"+"%b%y")) | search newField
This command never returns any values. I have checked the basics. Just wondering if eval does not work this way. Thanks
I think maybe the OP needs a subsearch-type syntax, because it looks like they are searching for the resulting value of the eval
expression. So something like:
index=batch [| gentimes start=-1 | eval newField=... | table newField]
That should translate the subsearch expression into (newField=<value of eval expression>)
and apply that to index=batch
, which I think is what is being asked for here.
Just made it an answer.
The answer provided by aweitzman worked perfectly:
index=batch [| gentimes start=-1 | eval newField=... | table newField]
(If you want to post the answer I can mark it as solved)
So I figured it out. I didn't have the token linked to a fieldset element!
Does the query works if you change the value in the input dropdown? Also, can you try by adding autoRun=True in the
I know the token is received in my dashboard because it is visible via http GET (?form.cn=2015-Feb). I do not have a submitButton, however I do have a input dropdown that has searchWhenChanged=true. Is it maybe the fact that I use the token within a
Did you verify if the token $cn$ is receiving values? Also, if your panels have autoRun=true or you have a Submit button? The message 'Waiting for input' does suggest that the tokens are not resolved.
Doesn't seem to change anything, no 😞
Does putting quotes around it help?
...(strptime("$cn$"+"01",...
I manage to make this work when I have a hard coded value in the strptime function. However it does not work when I try and do the following :
index=batch AND [ search index=batch | eval partName=lower(strftime(strptime($cn$+"01","%Y-%b%d"),"regular"+"%b%y")) | table partName]
$cn$ being the value sent from another dashboard. The dashboard hangs on "Waiting for Input"
I think maybe the OP needs a subsearch-type syntax, because it looks like they are searching for the resulting value of the eval
expression. So something like:
index=batch [| gentimes start=-1 | eval newField=... | table newField]
That should translate the subsearch expression into (newField=<value of eval expression>)
and apply that to index=batch
, which I think is what is being asked for here.
This syntax does work fine. (Try below runanywhere sample)
|gentimes start=-1 | eval newField = lower(strftime(strptime("2014-oct" + "01","%Y-%b%d"),"regular"+"%b%y")) | table newField
I guess the problem is with "search newField". This is like searching for string 'newField' in raw events and raw events doesn't have this field so no rows are returned. You should change this to "search newField=*" OR "where isnotnull(newField)"