topic Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)' in Splunk Search

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi — Tue, 29 Sep 2020 12:15:11 GMT

Hi,

for a SLA project, I'm using Splunk to read Nagios the availability status of some services.
Using the condition "current_state=2 AND current_check_attempt=max_check_attempts", Nagios state a critical situation. My search works fine if some critical events are found, but if they aren't found I get the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

because I can't get the last_time_ok field in the stats count latest(last_time_critical) as last_time_critical by last_time_ok.
The last_time_ok field is important to understand ehen start a new incident.

How can resolve? Here my search:

index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2),
 [search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields %

Many thanks for your support.
Antonio

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

jkat54 — Wed, 04 Jan 2017 12:11:52 GMT

Looks like there is an ending ] bracket in the middle of the return statement.

However I'm guessing that's a typo or the forum auto formatting because you didn't surround your code with code tags.

To solve the problem when a field might be null try this:

 ...| eval possibleNullField=if(isnull(possibleNullField),"NULL",possibleNullField) | ...

To be read as if this field is empty, make it equal the string of "NULL". else, make it the value of itself.

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi — Tue, 29 Sep 2020 12:15:41 GMT

Hi jkat54,

the ] is the end bracket of the subsearch. In any case, I've inserted |eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) but I still got the Issue. I dont' should be any syntax error becuase If I change the earliest time to get some critical events the search works fine. I ship the newest search:
*index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:
|eventstats earliest(_time) as start_period latest(_time) as end_period

|eval duration_period=end_period - start_period
|eval duration_incident=if((current_state = 2),
[search index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:

|where current_state=2 AND current_check_attempt=max_check_attempts|eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) |stats count latest(last_time_critical) as last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)

|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort %|head 1|fields %*

Please let me know any other workarounds.

Many thanks for the support.
Antonio

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

jkat54 — Wed, 04 Jan 2017 14:32:23 GMT

Try moving your subsearch out of your eval somehow. It could be an append, etc. Prior to the eval that needs it.

You've got some condition where it can't return $duration_incident and you need to figure out what condition(s) that is and account for them.

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi — Wed, 04 Jan 2017 15:40:20 GMT

Hi jkat54,

yes, now it works! I have added the following append in the middle to create a single event with duration_incident=0:

append[search index=app_nagios sourcetype=ydms_status earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]

Here the newly search:

index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2  ),
 [search index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|append[search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields % *

Thank you very much for your great support.

Antonio

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

jkat54 — Wed, 04 Jan 2017 21:16:04 GMT

can you convert this to a comment on my answer that suggested using append, and then mark my answer as the answer to give me credit for the idea please? Thanks in advance!

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi — Thu, 05 Jan 2017 06:52:07 GMT

How you've suggested, I insert an APPEND command to set "0" duration_incidend field, and now it works very well.
Thank you for your great support.
Antonio

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi — Thu, 05 Jan 2017 06:56:23 GMT

Thank you very much.
It works! How you have suggested inserting an APPEND commnad to set "0" the duration_incident field has resolved my issue.

Thanks again
Antonio