I have a simple search of a CSV file pulling back the latest timestamp:
source=/opt/apps/splunk/var/run/splunk/csv/CSVFileInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime
This returns the correct entry:
2017-05-22 08:13:58.169 US/Eastern
I want to assign that value to a variable so I can use it in a larger search . However, when I try things like:
| eval fileDatetime=[search source=/opt/apps/splunk/var/run/splunk/csv/ProdOracleInvalidLogins.csv host=servername sourcetype=csv | stats latest(TIMESTAMP) as fileDatetime]
I get the error:
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
This error seems to be consistent with different things I try, like using a "return fileDatetime" in the subsearch, throwing in double quotes, etc. I've searched the forums, and seem to see this error when people are actually doing Boolean operations, but all I want to do is assign a search value to a variable. I'm not understanding what this error is telling me. Can someone tell me how to set the variable equal to the timestamp I get when I run this search standalone so it can be used in the larger search, and if you can shed any light onto what this error is saying in relation to what I am doing, I'd really appreciate it.
↧