https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88912#M22763 <P>Also, the "ExtractFriendlyMetricName" listed above is a similar case statement and it works fine.</P> Wed, 17 Nov 2010 00:28:11 GMT johnboldt 2010-11-17T00:28:11Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88908#M22759 <P>I'm receiving the following error message on a search: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression</P> <P>The expression is a search macro that takes a string parameter and returns a message based on a regex match using a case statement which uses the <STRONG>match</STRONG> function.</P> <P>This statement was working at one point, and then I started getting the error. Any ideas?</P> Mon, 15 Nov 2010 13:36:23 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88908#M22759 johnboldt 2010-11-15T13:36:23Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88909#M22760 <P>Posting the actual search would go a long way toward getting a useful answer. Please edit your question above to provide more detail.</P> Mon, 15 Nov 2010 21:32:58 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88909#M22760 southeringtonp 2010-11-15T21:32:58Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88910#M22761 <P>Agreed with southeringtonp - please post the search and also the macros it uses.</P> Tue, 16 Nov 2010 05:51:06 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88910#M22761 sideview 2010-11-16T05:51:06Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88911#M22762 <P>Here's the search:</P> <PRE><CODE>sourcetype="SRCTYPE" hoursago=1 | `InetServiceCallsSearch` | eval Metric=`ExtractFriendlyMetricName(Message)` | eval SLA=`GetActivitySLA(Message)` | stats count as "Count", avg(elapsedTime) as "Average", p95(elapsedTime) as "95th Percentile", max(SLA) as "SLA" by Metric </CODE></PRE> <P>The eval that's blowing up is <CODE>GetActivitySLA</CODE>, listed below:</P> <PRE><CODE>case ( match($message$, "Some Message", 500, match($message$, "Another Message:"), 500, match($message$, "Yet Another Message:"), 500 ) </CODE></PRE> <P>If I extract the macro body and place it directly into the search it works fine:</P> <PRE><CODE>eval SLA=case (...) </CODE></PRE> Wed, 17 Nov 2010 00:24:28 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88911#M22762 johnboldt 2010-11-17T00:24:28Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88912#M22763 <P>Also, the "ExtractFriendlyMetricName" listed above is a similar case statement and it works fine.</P> Wed, 17 Nov 2010 00:28:11 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88912#M22763 johnboldt 2010-11-17T00:28:11Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88913#M22764 <P>You are missing an end/right-parenthesis ")" that I highlight in <CODE>red</CODE>:</P> <P>case (<BR /> match($message$, "Some Message" <CODE>)</CODE>, 500,<BR /> match($message$, "Another Message:"), 500, <BR /> match($message$, "Yet Another Message:"), 500<BR /> )</P> Wed, 27 May 2015 05:15:27 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88913#M22764 woodcock 2015-05-27T05:15:27Z https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88914#M22765 <P>If this was the problem, do click "Accept" on the answer to close it.</P> Mon, 21 Dec 2015 14:52:38 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Error-In-Search-Statement/m-p/88914#M22765 woodcock 2015-12-21T14:52:38Z