Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: Typechecking failed. '-' only takes numbers

raytroy
New Member
‎04-24-2014 04:01 PM

I have tried many ways to get the difference between two numbers.

Here is what I have tried.

try 1: event=subscription data.price>0 AND data.endDate>0 | eval rr = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 2: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | eval j = (data.endDate - data.startDate) Results in Error in 'eval' command: Typechecking failed. '-' only takes numbers

try 3: event=subscription data.price>0 AND data.endDate>0 | convert num(data.startDate) num(data.endDate) | table data.endDate data.startDate Has two columns of data and looks great.

data.endDate data.startDate

1397636176441 1397483257122

1397161336056 1397161260357

I would like to subtract data.endDate from data.startDate. 139763617641 - 1397483257122 =

I always get the error, Error in 'eval' command: Typechecking failed. '-' only takes numbers, for try 1 and try2. I thought it had to do with the data being a string and that is why I tried to convert (the second try). I tabled (try 3) and get output.

Thank you for your help.

Tags (3)
0 Karma
Reply

alai
Explorer
‎09-09-2020 05:57 AM

Use single quotes:

eval result = 'data.endDate' - 'data.startDate'

 

0 Karma
Reply

HiroshiSatoh
Champion
‎04-24-2014 10:23 PM

Use the period to become errors.Changed field names?

・・・・・|eval data_endDate = data.endDate|eval data_startDate = data.startDate|eval rr=data_endDate- data_startDate
0 Karma
Reply

raytroy
New Member
‎04-25-2014 10:02 AM

I think I have solved the problem. The data.endDate was one level deep in the tree and the . was the only way to access the information inside those columns. Once I moved the data to the outer most tree level it worked. Lesson learned, make all the data on one level and don't embed object or events inside another event/dataset. Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...