Solved: Inconsistency in eval behavior

immortalraghava · ‎02-22-2018

I have a sample search with an eval statement which works,

index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp

But when I try to add the same to a macro, it doesn't work.

[find_current_min]
definition = strftime(now(),"%M")
iseval = 1

I get the following error when I try to call the macro `find_current_min`

Please explain this strange behavior.

Any help appreciated.

Thanks

immortalraghava · ‎06-28-2018

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

immortalraghava · ‎06-28-2018

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

elliotproebstel · ‎02-22-2018

I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1 to iseval = 0.

As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."

gcusello · ‎02-22-2018

hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.

Only for my curiosity, why you need the now minute?

Bye.
Giuseppe

Inconsistency in eval behavior

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life