Dashboards & Visualizations

Query runs ok in dashboard but not in "New Search"

hamilton1979
Engager

Hi all,

I receive the following error when I try to run my query as a "New Search". The query runs fine without issue in my dashboard!

Error in 'eval' command: The expression is malformed. Expected ).

I've copied my query in below, replacing what could be deemed sensitive data with XXXXX.

index=XXXXXX sourcetype="XXXXXXXXX" uri_path = "/XXX/portal/screen/AjaxScreen/action/GetXXXXXX*" | bin _time span=10m | eval resp_time = mvindex(split(other," "),0) | eval resp_time_sec = (resp_time/1000000) | convert ctime(_time) as Time timeformat="%d%m %H"| stats perc50(resp_time_sec) as median_resp by _time | eval Critical = if(median_resp>4,median_resp,0) | eval Warning = if(median_resp>2.5 AND median_resp<=4 ,median_resp,0) | eval OK = if(median_resp<=2.5,median_resp,0) | table _time,Critical,Warning,OK

Could someone help shed some light why the behavior is different in the dashboard vs. Search?

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@hamilton1979

Can you please share sample Panel code from your dashboard XML?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...