Hi,
It is possible, I tested this query on the default _audit index. if you have access to the default _audit index you can run the below code as is :
|makeresults|eval count1=[ search index=_audit | stats count by action | table count | return $count]
| eval count2=[ search index=_audit | stats count by info | table count | return $count]
Here I have taken count1 as a count by the action field in the _audit index & count2 as a count by the info field in the _audit index.
So, what is going wrong with your query?
The command expects the index and the count by field values(action and info in the above example) to exist, failing which it will return the error you describe above. I re-run the above query, slightly changing the query by changing the index to index=dummy and I receive the above error.
But, I know your index is existing, what else can go wrong?
The count by fields. Is device an extracted field? For example, I changed the action (which is an extracted field at index time) to have the string dummy added to the action and I run a query like this:
index=_audit
| eval actionable=action+"dummy"
| eval count1=[ search index=_audit
| stats count by actionable| table count | return $count]
| table count1
This won't work and will give me the error - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression, that you see. Why so? Because the sub search in the eval count1 gets executed first AND that search does not fine any field called 'actionable'!
However, If i add an eval inside the sub search and re-jig my query to this:
index=_audit
| eval count1=[ search index=_audit
| eval actionable=action+"dummy"
| stats count by actionable| table count | return $count]
| table count1
It works because the count1 eval search query now knows what actionable field means.
See second screen shot
So, you need to re-jig your sub search query and define your fields accordingly. I suggest you run and test on the _audit index with the as is queries given above to have an understanding of how to retro-fit it to your actual index and fields. There is no issues with the eval command, rather with the field mapping and discovery but I do think these hints on the _audit index will set you on your way.
I apologize for replying late but I had to concentrate on actual office work - the bread& butter calls 🙂
Hi,
It is possible, I tested this query on the default _audit index. if you have access to the default _audit index you can run the below code as is :
|makeresults|eval count1=[ search index=_audit | stats count by action | table count | return $count]
| eval count2=[ search index=_audit | stats count by info | table count | return $count]
Here I have taken count1 as a count by the action field in the _audit index & count2 as a count by the info field in the _audit index.
So, what is going wrong with your query?
The command expects the index and the count by field values(action and info in the above example) to exist, failing which it will return the error you describe above. I re-run the above query, slightly changing the query by changing the index to index=dummy and I receive the above error.
But, I know your index is existing, what else can go wrong?
The count by fields. Is device an extracted field? For example, I changed the action (which is an extracted field at index time) to have the string dummy added to the action and I run a query like this:
index=_audit
| eval actionable=action+"dummy"
| eval count1=[ search index=_audit
| stats count by actionable| table count | return $count]
| table count1
This won't work and will give me the error - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression, that you see. Why so? Because the sub search in the eval count1 gets executed first AND that search does not fine any field called 'actionable'!
However, If i add an eval inside the sub search and re-jig my query to this:
index=_audit
| eval count1=[ search index=_audit
| eval actionable=action+"dummy"
| stats count by actionable| table count | return $count]
| table count1
It works because the count1 eval search query now knows what actionable field means.
See second screen shot
So, you need to re-jig your sub search query and define your fields accordingly. I suggest you run and test on the _audit index with the as is queries given above to have an understanding of how to retro-fit it to your actual index and fields. There is no issues with the eval command, rather with the field mapping and discovery but I do think these hints on the _audit index will set you on your way.
I apologize for replying late but I had to concentrate on actual office work - the bread& butter calls 🙂
