Solved: Why am I getting an invalid eval expression error ...

mthomwalk · ‎05-30-2018

Brand new Splunk Enterprise 7.1.0 install, not upgraded, and installed the 1.1.0 version of TA-MS_O365_Reporting on the Search Head cluster via Deployer and also on a Heavy Forwarder via the Deployment Server. Configured the app via the web GUI on the HF following the documentation on the Splunkbase page. Created an o365 index and set that as the index in the app.

I'm seeing "05-30-2018 11:01:00.558 -0500 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-vendor_product' in stanza [ms:o365:reporting:messagetrace]: The expression is malformed. Expected OR." being logged constantly on the SHs and HF in splunkd.log and getting no messagetrace events in index=o365.

Any suggestions?

jconger · ‎05-30-2018

Try adding double quotes around the EVAL expression in props.conf like so:

EVAL-vendor_product = "Microsoft Office 365"

View solution in original post

jconger · ‎05-30-2018

Try adding double quotes around the EVAL expression in props.conf like so:

EVAL-vendor_product = "Microsoft Office 365"

keithevanscdcr · ‎03-11-2021

They're still adding this without the quotes in the default app props.conf, WTH...

mthomwalk · ‎05-30-2018

That was it. Thank you!

Why am I getting an invalid eval expression error on search heads and the heavy forwarder?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life