Solved: Why am I getting an error "Error in 'eval' command...

wrangler2x · ‎05-03-2018

I've got a real simple dashboard that has two inputs (a start time and an end time). Where I'm trying to assign the value entered from the input token to a variable using eval, it generates this error when the thing runs:

Error in 'eval' command: The expression is malformed.

It looks like it should be straightforward to me, but it does not work. I've used this technique in a search and that works with no problem. Is there something I have to do differently when using eval? Here is the dashboard

<form>
  <label>Elapsed Time Calculator</label>
  <description>Enter time in %H:%M format as 24 hour time</description>
 <searchTemplate>
| makeresults
| eval starttime = $STARTT$
| eval endtime = $ENDT$
| eval sepoch = strptime(starttime, "%H:%M")
| eval eepoch = strptime(endtime, "%H:%M")
| eval elapsedMin = round((eepoch - sepoch) / 60, 0)
| eval elapsedHour = round(elapsedMin / 60, 3)
| table starttime endtime elapsedMin elapsedHour
</searchTemplate>
  <fieldset>
    <input type="text" token="STARTT" searchWhenChanged="true"></input>
    <input type="text" token="ENDT" searchWhenChanged="true"></input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Search result</title>
      </table>
    </panel>
  </row>
</form>

MuS · ‎05-03-2018

Hi wrangler2x,

your token is a string, but your code tells eval to use a field. Change it have the tokens in quotes and it will work 😉

<form>
   <label>Elapsed Time Calculator</label>
   <description>Enter time in %H:%M format as 24 hour time</description>
   <fieldset>
     <input type="text" token="STARTT" searchWhenChanged="true"></input>
     <input type="text" token="ENDT" searchWhenChanged="true"></input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>
             | makeresults
             | eval starttime = "$STARTT$"
             | eval endtime = "$ENDT$"
             | eval sepoch = strptime(starttime, "%H:%M")
             | eval eepoch = strptime(endtime, "%H:%M")
             | eval elapsedMin = round((eepoch - sepoch) / 60, 0)
             | eval elapsedHour = round(elapsedMin / 60, 3)
             | table starttime endtime elapsedMin elapsedHour
            </query>
          </search>
         <title>Search result</title>
       </table>
     </panel>
   </row>
 </form>

Update: I also updated the XML code.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎05-03-2018

Hi wrangler2x,

your token is a string, but your code tells eval to use a field. Change it have the tokens in quotes and it will work 😉

<form>
   <label>Elapsed Time Calculator</label>
   <description>Enter time in %H:%M format as 24 hour time</description>
   <fieldset>
     <input type="text" token="STARTT" searchWhenChanged="true"></input>
     <input type="text" token="ENDT" searchWhenChanged="true"></input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query>
             | makeresults
             | eval starttime = "$STARTT$"
             | eval endtime = "$ENDT$"
             | eval sepoch = strptime(starttime, "%H:%M")
             | eval eepoch = strptime(endtime, "%H:%M")
             | eval elapsedMin = round((eepoch - sepoch) / 60, 0)
             | eval elapsedHour = round(elapsedMin / 60, 3)
             | table starttime endtime elapsedMin elapsedHour
            </query>
          </search>
         <title>Search result</title>
       </table>
     </panel>
   </row>
 </form>

Update: I also updated the XML code.

Hope this helps ...

cheers, MuS

wrangler2x · ‎05-03-2018

Aha! @MuS -- genius!

richgalloway · ‎05-03-2018

Perhaps you could put fieldset before searchTemplate?

---
If this reply helps you, Karma would be appreciated.

Why am I getting an error "Error in 'eval' command" for lines assigning a token to a variable in a dashboard?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes