Hi,
my saved search is very long. I want to put it in savedsearches.conf in multiple lines escaped through \
this is my search lines:
search = (sourcetype=syslog) \
| search NOT "DEBUG" \
| transaction host user maxspan=2s maxpause=2s \
| convert timeformat="...." ctime(_ctime) as time \
| (lots of more lines....)
This seems working unless I add 'convert' into my search. It breaks the whole search. Once I change everything to one line (by removing escape \ and \n), everything goes back to normal.
Is this a bug in somewhere in Splunk code? Why 'convert' is different?
Thanks
The Search Reference topic on convert notes that it "is mostly deprecated, and its functionality has been re-worked as functions of the eval command such as strftime()
, strptime()
, or tostring()
." Have you tried using eval
instead?
Further testing found another problem:
the 'rename' command does not work this way. It is not deprecated, but it breaks the search if I put following two lines in my search:
rename aaa as bbb \
| other search conditions
So, I have to put at least one other command following 'rename' in the same line:
rename aaa as bbb | other search conditions
The Search Reference topic on convert notes that it "is mostly deprecated, and its functionality has been re-worked as functions of the eval command such as strftime()
, strptime()
, or tostring()
." Have you tried using eval
instead?
this is exact the problem was. thank you very much.