Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: Typechecking failed. '-' only takes numbers

raytroy
New Member
‎04-24-2014 04:01 PM

I have tried many ways to get the difference between two numbers.

Here is what I have tried.

try 1: event=subscription data.price>0 AND data.endDate>0 | eval rr = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 2: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | eval j = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 3: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | table data.endDate data.startDate Has two columns of data and looks great.

data.endDate data.startDate

1397636176441 1397483257122

1397161336056 1397161260357

I would like to subtract data.endDate from data.startDate. 139763617641 - 1397483257122 =

I always get the error, Error in 'eval' command: Typechecking failed. '-' only takes numbers, for try 1 and try2. I thought it had to do with the data being a string and that is why I tried to convert (the second try). I tabled (try 3) and get output.

Thank you for your help.

Tags (3)
0 Karma
Reply

alai
Explorer
‎09-09-2020 05:57 AM

Use single quotes:

eval result = 'data.endDate' - 'data.startDate'

 

0 Karma
Reply

HiroshiSatoh
Champion
‎04-24-2014 10:23 PM

Use the period to become errors.Changed field names?

・・・・・|eval data_endDate = data.endDate|eval data_startDate = data.startDate|eval rr=data_endDate- data_startDate
0 Karma
Reply

raytroy
New Member
‎04-25-2014 10:02 AM

I think I have solved the problem. The data.endDate was one level deep in the tree and the . was the only way to access the information inside those columns. Once I moved the data to the outer most tree level it worked. Lesson learned, make all the data on one level and don't embed object or events inside another event/dataset. Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...