- Splunk Answers
- :
- Splunk Premium Solutions
- :
- IT Ops Premium Solutions
- :
- Splunk IT Service Intelligence
- :
- In Splunk IT Service Intelligence, can you help me...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk IT Service Intelligence, can you help me with the following error: "Error in 'eval' command: The expression is malformed."
I have the following query that runs fine:
index=someindex original_index=someindex earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "%a %B %d %m")
| stats values(date_display) as date_determined
| return $date_determined
When I use this search as a subsearch like...
index=some_license_index earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "%a %B %d %m")
| stats values(date_display) as date_determined
| return $date_determined ]
| stats sum(bytes) as "License Usage" by original_source
...I get the following error:
Error in 'eval' command: The expression is malformed.
When I change it to...
index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600
| eval date_display = 1234
| stats values(date_display) as date_determined
| return $date_determined ]
| stats sum(bytes) as "License Usage" by original_source
...It works fine (note the eval in the subsearch)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem here is that your original subsearch returns a string value which has spaces and no enclosing double quotes, which when returned to eval and it fails. Your last search works as you're using a numerical value.
e.g. | eval test=1234 works but | eval test=Mon Apr 1 2019 will not.
If you've to return a string value, add a double quotes in the value in the subsearch, like this:
Updated
index=some_license_index earliest=1553986800 latest=1554069600
| eval determine_date =
[ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600
| eval date_display = strftime(1553986800, "\"%a %B %d %m\"")
| stats values(date_display) as search ]
| stats sum(bytes) as "License Usage" by original_source
Also, do you always return hard-coded data value from the subsearch???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the following error.
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
Also, do you always return hard-coded data value from the subsearch???
No but I tried to give an easy example containing the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your actual subsearch that you will be using?? Also, try the updated version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 I think you missed the following eval before return:
| eval date_determined="\"".date_determined."\""
@sboogaar even if you have provided an example to return hard-coded value from subsearch, is it possible your subsearch will return multiple values? Is it values() aggregate function that you need or something else which better suits your needs? Or else would you convert multi-value result to single value?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
