All Apps and Add-ons

Why am I getting an invalid eval expression error on search heads and the heavy forwarder?

mthomwalk
Engager

Brand new Splunk Enterprise 7.1.0 install, not upgraded, and installed the 1.1.0 version of TA-MS_O365_Reporting on the Search Head cluster via Deployer and also on a Heavy Forwarder via the Deployment Server. Configured the app via the web GUI on the HF following the documentation on the Splunkbase page. Created an o365 index and set that as the index in the app.

I'm seeing "05-30-2018 11:01:00.558 -0500 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-vendor_product' in stanza [ms:o365:reporting:messagetrace]: The expression is malformed. Expected OR." being logged constantly on the SHs and HF in splunkd.log and getting no messagetrace events in index=o365.

Any suggestions?

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Try adding double quotes around the EVAL expression in props.conf like so:

EVAL-vendor_product = "Microsoft Office 365"

View solution in original post

jconger
Splunk Employee
Splunk Employee

Try adding double quotes around the EVAL expression in props.conf like so:

EVAL-vendor_product = "Microsoft Office 365"

keithevanscdcr
Explorer

They're still adding this without the quotes in the default app props.conf, WTH...

0 Karma

mthomwalk
Engager

That was it. Thank you!

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...