Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Inconsistency in eval behavior

immortalraghava
Path Finder
‎02-22-2018 03:42 AM

I have a sample search with an eval statement which works, 

index = _internal | head 1 | eval temp = strftime(now(),"%M") | table temp

But when I try to add the same to a macro, it doesn't work. 

[find_current_min]
definition = strftime(now(),"%M")
iseval = 1

I get the following error when I try to call the macro `find_current_min`

alt text

Please explain this strange behavior.

Any help appreciated.

Thanks

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

immortalraghava
Path Finder
‎06-28-2018 07:23 AM

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

immortalraghava
Path Finder
‎06-28-2018 07:23 AM

To properly set the earliest time for the search. We have data only for 5 mins granularity. 11:05, 11:10 ... So if the search running at 12:13 to get past one hour data earliest time is set as 11:13, we want to set it as 11:10

We achieved this by using time(). now() doesn't work with iseval =1

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-22-2018 07:04 AM

I agree with @cusello that this would be a good use case for a Calculated Field, but you should also be able to make this work as it stands by simply changing iseval = 1 to iseval = 0.

As per the documentation for macros.conf, this setting should only be set to 1 if "the definition attribute is expected to be an eval expression that returns a string that represents the expansion of this macro."

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2018 04:36 AM

hi immortalraghavan,
To do what you want, you don't need a macro, but a calculated field [Setting -- Fields -- Calculated fields] and don't need also of eval command.

Only for my curiosity, why you need the now minute?

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...