https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224019#M188262 <PRE><CODE> index=gamification AND sourcetype = stash | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>Why table isFailure never show any results?</P> <P>because you're != instead of = . Eval is a generating command... in this case your logic is saying... dont generate anything.</P> <P>You want something like this instead:</P> <PRE><CODE> index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>This one fails because of spacing:</P> <PRE><CODE> index=gamification | spath | rename gamification.action.name as actionId, gamification.user.id as playerId, _indextime as date, gamification.origin.name as origin | where origin="sparxea" | eval updated=[ search index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | eval updated=if(isFailure =="0",now(),_indextime) | return $updated ] | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") | where date &gt; updated | table updated,date,playerId,actionId | script python gamification -t playlyfe -c action -m p | collect index="gamification" </CODE></PRE> <P>Should be like this instead:</P> <PRE><CODE> index=gamification | spath | rename gamification.action.name as actionId, gamification.user.id as playerId, _indextime as date, gamification.origin.name as origin | where origin="sparxea" | eval updated=[ search index=gamification AND sourcetype=stash | eval isFailure=if(searchmatch("gamification"),1,0) | eval updated=if(isFailure=="0",now(),_indextime) | return $updated ] | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") | where date &gt; updated | table updated,date,playerId,actionId | script python gamification -t playlyfe -c action -m p | collect index="gamification" </CODE></PRE> <P>I fixed spacing here:</P> <PRE><CODE> search index=gamification AND sourcetype=stash </CODE></PRE> <P>And here:</P> <PRE><CODE> | eval updated=if(isFailure=="0",now(),_indextime) </CODE></PRE> <P>And here:</P> <PRE><CODE> | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") </CODE></PRE> <P>Same with this one:</P> <PRE><CODE> | eval updated=[ search index=gamification AND sourcetype=stash | eval updated=if(isnotnull(extractfield),_indextime,now()) | return $updated ] </CODE></PRE> Fri, 12 Aug 2016 16:52:18 GMT jkat54 2016-08-12T16:52:18Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224018#M188261 <P>Hello,</P> <P>I am doing a search and i know sometimes it will return no results.</P> <PRE><CODE>index=gamification AND sourcetype = stash | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>Why table isFailure never show any results?</P> <P>Another exemple is my concrete query :</P> <PRE><CODE>index=gamification | spath | rename gamification.action.name as actionId, gamification.user.id as playerId, _indextime as date, gamification.origin.name as origin | where origin="sparxea" | eval updated=[ search index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | eval updated=if(isFailure =="0",now(),_indextime) | return $updated ] | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") | where date &gt; updated | table updated,date,playerId,actionId | script python gamification -t playlyfe -c action -m p | collect index="gamification" </CODE></PRE> <P>Here i am testing if i have event results in a subsearch, if i have, i take the indextime of the first result, if not, the actual time.<BR /> With this search, i got an error : eval dest_key = expression</P> <P>Here is why i am testing the result count : <A href="https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html">https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html</A>. This link seemed to be a possible solution to my problem.</P> <P>At begining, i was doing the subsearsh like this, But it gives me the same error : eval dest_key = expression</P> <PRE><CODE> | eval updated=[ search index=gamification AND sourcetype = stash | eval updated=if( isnotnull( extractfield ),_indextime,now()) | return $updated ] </CODE></PRE> <P>I really need help please. Thanks</P> Fri, 12 Aug 2016 16:30:56 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224018#M188261 gamification 2016-08-12T16:30:56Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224019#M188262 <PRE><CODE> index=gamification AND sourcetype = stash | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>Why table isFailure never show any results?</P> <P>because you're != instead of = . Eval is a generating command... in this case your logic is saying... dont generate anything.</P> <P>You want something like this instead:</P> <PRE><CODE> index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>This one fails because of spacing:</P> <PRE><CODE> index=gamification | spath | rename gamification.action.name as actionId, gamification.user.id as playerId, _indextime as date, gamification.origin.name as origin | where origin="sparxea" | eval updated=[ search index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | eval updated=if(isFailure =="0",now(),_indextime) | return $updated ] | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") | where date &gt; updated | table updated,date,playerId,actionId | script python gamification -t playlyfe -c action -m p | collect index="gamification" </CODE></PRE> <P>Should be like this instead:</P> <PRE><CODE> index=gamification | spath | rename gamification.action.name as actionId, gamification.user.id as playerId, _indextime as date, gamification.origin.name as origin | where origin="sparxea" | eval updated=[ search index=gamification AND sourcetype=stash | eval isFailure=if(searchmatch("gamification"),1,0) | eval updated=if(isFailure=="0",now(),_indextime) | return $updated ] | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") | where date &gt; updated | table updated,date,playerId,actionId | script python gamification -t playlyfe -c action -m p | collect index="gamification" </CODE></PRE> <P>I fixed spacing here:</P> <PRE><CODE> search index=gamification AND sourcetype=stash </CODE></PRE> <P>And here:</P> <PRE><CODE> | eval updated=if(isFailure=="0",now(),_indextime) </CODE></PRE> <P>And here:</P> <PRE><CODE> | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") </CODE></PRE> <P>Same with this one:</P> <PRE><CODE> | eval updated=[ search index=gamification AND sourcetype=stash | eval updated=if(isnotnull(extractfield),_indextime,now()) | return $updated ] </CODE></PRE> Fri, 12 Aug 2016 16:52:18 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224019#M188262 jkat54 2016-08-12T16:52:18Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224020#M188263 <P>Hello,</P> <P>Thanks for you answer.<BR /> I try it soon and give a reply !</P> Fri, 12 Aug 2016 19:55:06 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224020#M188263 gamification 2016-08-12T19:55:06Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224021#M188264 <P>Hello ,</P> <P>I tried your solutions.</P> <PRE><CODE>index=gamification AND sourcetype = stash | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure </CODE></PRE> <P>It gives me no result found.</P> <P>The main query with your spacing fixes still give me the same error : eval dest_key = expression</P> Mon, 15 Aug 2016 11:29:16 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224021#M188264 gamification 2016-08-15T11:29:16Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224022#M188265 <P>I see a space on both sides of your equals ( = ) still. Did you try without that?</P> <P>I think this is the problem:</P> <P>| eval isFailure=if(search match("gamification"),1,0) </P> <P>Should be this instead</P> <P>| eval isFailure=if(match(gasification,"REGEX"),1,0) </P> <P>And I don't know your regex. What if you just remove this one eval?</P> Mon, 15 Aug 2016 12:03:08 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224022#M188265 jkat54 2016-08-15T12:03:08Z https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224023#M188266 <P>Actually the problem is in my main query, <BR /> sometimes the subsearch return events, sometimes not. <BR /> What i want to achieve is depending if i find result or not, it gives me different date.<BR /> Here the change i did in the subsearch ( it's what i want to achieve since the begining).</P> <PRE><CODE>search index=gamification AND sourcetype= stash | eval origin=originUpdate | where origin="sparxea" | eval time = _indextime | eval updated=if(isnull(time),now(),_indextime) | return $updated </CODE></PRE> <P>Even if i should always return a date because of this line <CODE>| eval updated=if(isnull(time),now(),_indextime)</CODE><BR /> eval function give me error eval dest_key = expression because when no events are found, eval is unable to generate values to return. I can't figure how to do it.</P> Tue, 16 Aug 2016 12:06:15 GMT https://community.splunk.com/t5/Splunk-Search/Eval-function-weird-return/m-p/224023#M188266 gamification 2016-08-16T12:06:15Z