Knowledge Management

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

pradeepkumarg
Influencer

I'm trying to filter my data with the current day of week value using a macro. DAY_OF_WK is a field in my sourcetype

I get this error when trying below query with macro

Error in macro "The definition of macro is expected to be an eval expression that returns a string."

Query

index=my_index sourcetype=mysourcetype DAY_OF_WK=dayofwk(1)

Macro


if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

Any idea on what I am doing wrong here?

Thanks,
Pradeep

Tags (2)
0 Karma
1 Solution

aweitzman
Motivator

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

View solution in original post

aweitzman
Motivator

I tried this stanza and it worked fine:

[dayofwk(1)]
args = dummy
definition = if($dummy$==1, strftime(now(),"%w"), strftime(now(),"%w"))

My search

| gentimes start=-1 | eval zzz=`dayofwk(1)` | fields zzz

got me the expected value.

Did you put iseval = true at the end of your stanza? If so, it's unnecessary.

aweitzman
Motivator

I figured out your real problem. now() is not capable of being processed in a macro. See here:

http://answers.splunk.com/answers/4907/can-you-use-now-in-eval-based-macros.html

I tried making an eval-based macro using time() instead of now() as described in the above link, adding iseval=true, and using it as you wanted to use it above, and it worked fine. Give that a shot.

pradeepkumarg
Influencer

Awesome.. worked like a champ. Thank you so much 🙂

0 Karma

aweitzman
Motivator

Does my original query work if you uncheck the "Use eval-based definition" checkbox? If so, do that and structure your earlier query like this:

index=my_index sourcetype=mysourcetype | where DAY_OF_WK=`dayofwk(1)`

Yes, this is more inefficient. However, I have not figured out any way to get the macro to work with iseval = true (which is the equivalent of your checkbox).

0 Karma

pradeepkumarg
Influencer

Ahh, I removed iseval=true and it worked. But I'm unable to use it before the first pipe. If I have to use it after the pipe, I don't need a macro in first place.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

If you were to use iseval = 1. you must specify definition of the macro within double quotes "". Because Splunk is expecting string in the definition

example definition 

"round('$field$',$decimal$)"
————————————
If this helps, give a like below.
0 Karma

pradeepkumarg
Influencer

even the eval after pipe | is not working for me | eval DAY=dayofwk(1). I get the same error. Even tried the same query which you mentioned above and it doesn't work

0 Karma

pradeepkumarg
Influencer

I'm configuring it through WEB, and yes "Use eval-based definition?" is checked. Is it because I want to substitute this even before first pipe "|" and you are doing it in eval in your search query? does that matter? I want to filter this before first pipe |

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...