Splunk Search
Highlighted

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

New Member

Hi,

for a SLA project, I'm using Splunk to read Nagios the availability status of some services.
Using the condition "currentstate=2 AND currentcheckattempt=maxcheck_attempts", Nagios state a critical situation. My search works fine if some critical events are found, but if they aren't found I get the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

because I can't get the lasttimeok field in the stats count latest(lasttimecritical) as lasttimecritical by lasttimeok.
The lasttimeok field is important to understand ehen start a new incident.

How can resolve? Here my search:

index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2),
 [search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields %

Many thanks for your support.
Antonio

Tags (2)
0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

SplunkTrust
SplunkTrust

Looks like there is an ending ] bracket in the middle of the return statement.

However I'm guessing that's a typo or the forum auto formatting because you didn't surround your code with code tags.

To solve the problem when a field might be null try this:

 ...| eval possibleNullField=if(isnull(possibleNullField),"NULL",possibleNullField) | ...

To be read as if this field is empty, make it equal the string of "NULL". else, make it the value of itself.

0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

New Member

Hi jkat54,

the ] is the end bracket of the subsearch. In any case, I've inserted |eval lasttimeok=if(isnull(lasttimeok),"NULL",lasttimeok) but I still got the Issue. I dont' should be any syntax error becuase If I change the earliest time to get some critical events the search works fine. I ship the newest search:
index=appnagios sourcetype=ydmsstatus earliest=-1mon SERVICESTATEID:sasv03qb:
|eventstats earliest(time) as startperiod latest(time) as endperiod

|eval durationperiod=endperiod - startperiod
|eval duration
incident=if((currentstate = 2),
[search index=app
nagios sourcetype=ydmsstatus earliest=-1mon SERVICESTATEID:sasv03qb:

|where current
state=2 AND currentcheckattempt=maxcheckattempts|eval lasttimeok=if(isnull(lasttimeok),"NULL",lasttimeok) |stats count latest(lasttimecritical) as lasttimecritical by lasttimeok |eval endincident=if(isnull(lasttimecritical),0,strptime(lasttimecritical,"%Y-%m-%d %H:%M:%S"))|eval startincident=if(isnull(lasttimeok),0,strptime(lasttimeok,"%Y-%m-%d %H:%M:%S"))|eval durationincident=endincident - startincident|stats sum(durationincident) as durationincident|return $durationincident],0)|eval %unavail=round(durationincident/(durationperiod)
100,2)

|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort %|head 1|fields %
*

Please let me know any other workarounds.

Many thanks for the support.
Antonio

0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

SplunkTrust
SplunkTrust

Try moving your subsearch out of your eval somehow. It could be an append, etc. Prior to the eval that needs it.

You've got some condition where it can't return $duration_incident and you need to figure out what condition(s) that is and account for them.

View solution in original post

Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

New Member

Hi jkat54,

yes, now it works! I have added the following append in the middle to create a single event with duration_incident=0:

append[search index=app_nagios sourcetype=ydms_status earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]

Here the newly search:

index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:
 |eventstats earliest(_time) as start_period latest(_time) as end_period                        
 |eval duration_period=end_period - start_period 
 |eval duration_incident=if((current_state = 2  ),
 [search index=app_nagios sourcetype=ydms_status  earliest=-3mon SERVICESTATEID:sasv03qb:   
     |where current_state=2 AND current_check_attempt=max_check_attempts |stats count latest(last_time_critical) as  last_time_critical by last_time_ok |eval end_incident=if(isnull(last_time_critical),0,strptime(last_time_critical,"%Y-%m-%d %H:%M:%S"))|eval start_incident=if(isnull(last_time_ok),0,strptime(last_time_ok,"%Y-%m-%d %H:%M:%S"))|eval duration_incident=end_incident - start_incident|append[search index=app_nagios sourcetype=ydms_status  earliest=-1h SERVICESTATEID:sasv03qb:|head 1|eval duration_incident=0]|stats sum(duration_incident) as duration_incident|return $duration_incident],0)|eval %unavail=round(duration_incident/(duration_period)*100,2)                         
|eval %= round((100 - '%unavail'),2)|eval %= round((100 - '%unavail'),2)|sort  %|head 1|fields % *

Thank you very much for your great support.

Antonio

0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

SplunkTrust
SplunkTrust

can you convert this to a comment on my answer that suggested using append, and then mark my answer as the answer to give me credit for the idea please? Thanks in advance!

0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

New Member

How you've suggested, I insert an APPEND command to set "0" duration_incidend field, and now it works very well.
Thank you for your great support.
Antonio

0 Karma
Highlighted

Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'

New Member

Thank you very much.
It works! How you have suggested inserting an APPEND commnad to set "0" the duration_incident field has resolved my issue.

Thanks again
Antonio

0 Karma