topic Re: Error in 'eval' command: The 'first' function is unsupported or undefined. in Splunk Search

Error in 'eval' command: The 'first' function is unsupported or undefined.

Splunk_U — Mon, 28 Sep 2020 13:04:56 GMT

I have written the below search string:

But is it providing me an error "Error in 'eval' command: The 'first' function is unsupported or undefined."

Help!!!

Re: Error in 'eval' command: The 'first' function is unsupported or undefined.

kristian_kolb — Thu, 10 Jan 2013 16:34:44 GMT

first() is not a function to eval

http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

it is, however, to stats

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

/Kristian

Re: Error in 'eval' command: The 'first' function is unsupported or undefined.

Splunk_U — Thu, 10 Jan 2013 18:06:54 GMT

Thank you Kristian!!

I got it... but what I need is "RXbytes" data is getting generated in every 60 secs. I need to store the data for an interval of 5 mins that is 1 generated in one minute...then I need use that data...Is there any array kind of concept in SPlunk?

Re: Error in 'eval' command: The 'first' function is unsupported or undefined.

Splunk_U — Thu, 10 Jan 2013 18:28:33 GMT

I need to know how can I retrieve the elements present in a list...

Re: Error in 'eval' command: The 'first' function is unsupported or undefined.

Ayn — Thu, 10 Jan 2013 19:05:24 GMT

Use eval's mvindex function for that.

Re: Error in 'eval' command: The 'first' function is unsupported or undefined.

woodcock — Tue, 30 Dec 2014 15:02:41 GMT

Also be aware that "first" does not mean "oldest" or "earliest", it means "first encountered while working backwards through the events" which means it is the same as "newest" or "latest". This is VERY confusing and I think Splunk should either oldest/newest or earliest/latest to the functions so that people who care about clarity (most of us) can abandon the use of first/last and use something less likely to cause confusion.