Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: Typechecking failed. '-' only takes numbers

raytroy
New Member
‎04-24-2014 04:01 PM

I have tried many ways to get the difference between two numbers.

Here is what I have tried.

try 1: event=subscription data.price>0 AND data.endDate>0 | eval rr = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 2: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | eval j = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 3: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | table data.endDate data.startDate Has two columns of data and looks great.

data.endDate data.startDate

1397636176441 1397483257122

1397161336056 1397161260357

I would like to subtract data.endDate from data.startDate. 139763617641 - 1397483257122 =

I always get the error, Error in 'eval' command: Typechecking failed. '-' only takes numbers, for try 1 and try2. I thought it had to do with the data being a string and that is why I tried to convert (the second try). I tabled (try 3) and get output.

Thank you for your help.

Tags (3)
0 Karma
Reply

alai
Explorer
‎09-09-2020 05:57 AM

Use single quotes:

eval result = 'data.endDate' - 'data.startDate'

 

0 Karma
Reply

HiroshiSatoh
Champion
‎04-24-2014 10:23 PM

Use the period to become errors.Changed field names?

・・・・・|eval data_endDate = data.endDate|eval data_startDate = data.startDate|eval rr=data_endDate- data_startDate
0 Karma
Reply

raytroy
New Member
‎04-25-2014 10:02 AM

I think I have solved the problem. The data.endDate was one level deep in the tree and the . was the only way to access the information inside those columns. Once I moved the data to the outer most tree level it worked. Lesson learned, make all the data on one level and don't embed object or events inside another event/dataset. Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...