All Apps and Add-ons

TA Meraki: how do I fix the bug I found in my splunkd.log?

jcooperFossil
Path Finder

In the props.conf of the TA on line 65 is the following:

EVAL-lease_scope = if(len(lease_scope_subnet)=>1,src."/".lease_scope_subnet,null())

Looking through my splunkd.log, I see the below error. Sadly my regex-fu isn't that good; what is wrong, and how would I fix it?

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-lease_scope' in stanza [meraki]: The expression is malformed. An unexpected character is reached at '>1,src."/".lease_scope_subnet,null())
0 Karma
1 Solution

worshamn
Contributor

It is just a syntax error in your greater than or equal to expression. Swap the > and = signs around.
You can recreate the problem in SPL by just doing this:

| makeresults 
| eval test = 2
| eval test2 = if(len(test) => 1, "yes", null())

See it error and then see it happy with:

| makeresults 
| eval test = 2
| eval test2 = if(len(test) >= 1, "yes", null())

View solution in original post

worshamn
Contributor

It is just a syntax error in your greater than or equal to expression. Swap the > and = signs around.
You can recreate the problem in SPL by just doing this:

| makeresults 
| eval test = 2
| eval test2 = if(len(test) => 1, "yes", null())

See it error and then see it happy with:

| makeresults 
| eval test = 2
| eval test2 = if(len(test) >= 1, "yes", null())

jcooperFossil
Path Finder

Thanks Worshamm!

0 Karma

adonio
Ultra Champion

hello there,

see what it tries to do,
create your on expression for lease_scope
create local folder in the TA and add new props.conf with the correction
make sure you ally the configuration the correct [stanza]

please share your solution with us so others can enjoy too!

0 Karma

jcooperFossil
Path Finder

I have no idea what it is trying to do (which is why I posted this question). I'm just trying to clean up errors in the logs.
Thanks for replying though.

0 Karma

myron_davis
Path Finder

I'll investigate. That was one I never caught... sorry.

The purpose was for the DHCP tag under the common information model "Sessions"

DHCP lease_scope string The consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered.

I thought I tested it against several different pieces of data. But I missed that one :(.

After testing it I'll upload a new package.

0 Karma

jmantor
Path Finder

A co-worker of mine just discovered that we're seeing the same error in version 1.0.6.
Just wondering if that is fixed in later versions?

0 Karma

myron_davis
Path Finder

I pushed out a new release into the repo:
https://github.com/AlaskaSSO/TA-meraki/releases/tag/v1.1.2

If it looks good I'll push it up to the splunk app store.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...