- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Error with eval expression using eventstats comman...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error with eval expression using eventstats command in Splunk Datamodel
Hi,
I want to create below search using splunk DataModel:
index="oqa_pub" sourcetype="idesk_db_inc" |search RESOLVERGROUP="ABC" |eventstats earliest(_time) as ticket_start_time |eventstats latest(_time) as ticket_end_time| where isnotnull(LAST_RESOLVED_DATE) AND (LAST_RESOLVED_DATE >= ticket_start_time AND LAST_RESOLVED_DATE <= ticket_end_time) | where NOT DETAILED_DECRIPTION like "%bamAudit%" |where STATUS !=6|dedup INCIDENT_NUMBER|chart count(INCIDENT_NUMBER)
but when I am trying to put "ticket_start_time" and "ticket_end_time" in eval expression, it gives me an error in pivot
"Error in 'eval' command: The expression is malformed. "
Any help would be highly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mogoe2,
eventstats is not an eval function. You can find all eval functions here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Functions
As for your use case, you might have to provide some samples and more detail what it is that you want to achieve.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks..
From this query, I am.looking to find out number of incidents which have been resolved by my team during particular duration.
Intent is to create splunk data model and provide it to my team to find themselves incident count.
While creating splunk data model, I.am unable to find how do I use ticket_start_time" and "ticket_end_time" in eval expression as it is only option I have in splunk data model creation. As soon as I go to pivot to analyse my data model, I start getting error "Error in 'eval' command: The expression is malformed".
Hope I have been able to explain.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I said eventstats is not an eval function so you need to find another way to create the needed time fields in the datamodel - Sorry.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While creating splunk data model, I am using eval expression as
Eval ticket_start_time= eventstats earliest(_time)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you add the eval command line here?
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
