Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

antoniofacchi
New Member
‎01-04-2017 01:34 AM

Hi,

for a SLA project, I'm using Splunk to read Nagios the availability status of some services.
Using the condition "current_state=2 AND current_check_attempt=max_check_attempts", Nagios state a critical situation. My search works fine if some critical events are found, but if they aren't found I get the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

because I can't get the last_time_ok field in the stats count latest(last_time_critical) as last_time_critical by last_time_ok.
The last_time_ok field is important to understand ehen start a new incident.

How can resolve? Here my search:

index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2),
 [search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields %

Many thanks for your support.
Antonio

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-04-2017 06:32 AM

Try moving your subsearch out of your eval somehow. It could be an append, etc. Prior to the eval that needs it.

You've got some condition where it can't return $duration_incident and you need to figure out what condition(s) that is and account for them.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-04-2017 06:32 AM

Try moving your subsearch out of your eval somehow. It could be an append, etc. Prior to the eval that needs it.

You've got some condition where it can't return $duration_incident and you need to figure out what condition(s) that is and account for them.

Reply
Solved! Jump to solution

antoniofacchi
New Member
‎01-04-2017 10:56 PM

Thank you very much.
It works! How you have suggested inserting an APPEND commnad to set "0" the duration_incident field has resolved my issue.

Thanks again
Antonio

0 Karma
Reply
Solved! Jump to solution

antoniofacchi
New Member
‎01-04-2017 07:40 AM

Hi jkat54,

yes, now it works! I have added the following append in the middle to create a single event with duration_incident=0:

append[search index=app_nagios sourcetype=ydms_status earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]

Here the newly search:

index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2  ),
 [search index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|append[search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields % *

Thank you very much for your great support.

Antonio

0 Karma
Reply
Solved! Jump to solution

antoniofacchi
New Member
‎01-04-2017 10:52 PM

How you've suggested, I insert an APPEND command to set "0" duration_incidend field, and now it works very well.
Thank you for your great support.
Antonio

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-04-2017 01:16 PM

can you convert this to a comment on my answer that suggested using append, and then mark my answer as the answer to give me credit for the idea please? Thanks in advance!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-04-2017 04:11 AM

Looks like there is an ending ] bracket in the middle of the return statement.

However I'm guessing that's a typo or the forum auto formatting because you didn't surround your code with code tags.

To solve the problem when a field might be null try this:

 ...| eval possibleNullField=if(isnull(possibleNullField),"NULL",possibleNullField) | ...

To be read as if this field is empty, make it equal the string of "NULL". else, make it the value of itself.

0 Karma
Reply
Solved! Jump to solution

antoniofacchi
New Member
‎01-04-2017 05:01 AM

Hi jkat54,

the ] is the end bracket of the subsearch. In any case, I've inserted |eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) but I still got the Issue. I dont' should be any syntax error becuase If I change the earliest time to get some critical events the search works fine. I ship the newest search:
*index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:
|eventstats earliest(_time) as start_period latest(_time) as end_period

|eval duration_period=end_period - start_period
|eval duration_incident=if((current_state = 2),
[search index=app_nagios sourcetype=ydms_status earliest=-1mon SERVICESTATEID:sasv03qb:

|where current_state=2 AND current_check_attempt=max_check_attempts|eval last_time_ok=if(isnull(last_time_ok),"NULL",last_time_ok) |stats count latest(last_time_critical) as last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)

|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort %|head 1|fields %*

Please let me know any other workarounds.

Many thanks for the support.
Antonio

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...