In the props.conf of the TA on line 65 is the following:
EVAL-lease_scope = if(len(lease_scope_subnet)=>1,src."/".lease_scope_subnet,null())
Looking through my splunkd.log, I see the below error. Sadly my regex-fu isn't that good; what is wrong, and how would I fix it?
WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-lease_scope' in stanza [meraki]: The expression is malformed. An unexpected character is reached at '>1,src."/".lease_scope_subnet,null())
It is just a syntax error in your greater than or equal to expression. Swap the > and = signs around.
You can recreate the problem in SPL by just doing this:
| makeresults
| eval test = 2
| eval test2 = if(len(test) => 1, "yes", null())
See it error and then see it happy with:
| makeresults
| eval test = 2
| eval test2 = if(len(test) >= 1, "yes", null())
It is just a syntax error in your greater than or equal to expression. Swap the > and = signs around.
You can recreate the problem in SPL by just doing this:
| makeresults
| eval test = 2
| eval test2 = if(len(test) => 1, "yes", null())
See it error and then see it happy with:
| makeresults
| eval test = 2
| eval test2 = if(len(test) >= 1, "yes", null())
Thanks Worshamm!
hello there,
see what it tries to do,
create your on expression for lease_scope
create local folder in the TA and add new props.conf
with the correction
make sure you ally the configuration the correct [stanza]
please share your solution with us so others can enjoy too!
I have no idea what it is trying to do (which is why I posted this question). I'm just trying to clean up errors in the logs.
Thanks for replying though.
I'll investigate. That was one I never caught... sorry.
The purpose was for the DHCP tag under the common information model "Sessions"
DHCP lease_scope string The consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered.
I thought I tested it against several different pieces of data. But I missed that one :(.
After testing it I'll upload a new package.
A co-worker of mine just discovered that we're seeing the same error in version 1.0.6.
Just wondering if that is fixed in later versions?
I pushed out a new release into the repo:
https://github.com/AlaskaSSO/TA-meraki/releases/tag/v1.1.2
If it looks good I'll push it up to the splunk app store.