- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Valid iseval macro doesn't expand when used in "sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Valid iseval macro doesn't expand when used in "span="
Hi,
I have defined a macro that returns an amount of seconds with "s" appended to it, based on a start and end time. I want to use this macro to assign dynamic span values to a timechart.
This is my macro:
[get_timespan(2)]
args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1
When I test this in a dummy search, this query actually returns a table with "86400s" in each row:
bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span
So the macro works as expected and returns a value.
But when I try to invoke the macro in the span using this query:
bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count
I get an error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ".
It looks like it doesn't do the actual 'math' in the second query and just returns the macro definition, although it's an "iseval" macro. How can I get this to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one workaround would be to use an eval before the timechart command to resolve the macro and then use it on the span command
bla | eval tspan=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | timechart span=tchart ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In which case your only option is to modify the search macro to result in the text "span=xxxxxx" instead of returning only the actual timespan.
An example is provided by martin
http://answers.splunk.com/answers/79779/passing-span-as-argument-to-timechart.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also a good idea, but assigning a variable to "span=" doesn't work either:
Error in 'timechart' command: The value for option span (tspan) is invalid.
See also my other question on this forum: http://answers.splunk.com/answers/222954/how-to-pass-a-variable-to-timechart-span.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Sloefke
I just poked around the macros.conf documentation and saw that the iseval attribute format is supposed to be iseval = true/false, not iseval = 1/0. Could that be the problem?
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Macrosconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea, but unfortunately "1" and "true" both are valid options in the macros.conf file 😉
I tested it to be sure, same error.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
