Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error with eval expression using eventstats command in Splunk Datamodel

mogoe2
New Member
‎12-09-2019 05:55 AM

Hi,

I want to create below search using splunk DataModel:
index="oqa_pub" sourcetype="idesk_db_inc" |search RESOLVERGROUP="ABC" |eventstats earliest(_time) as ticket_start_time |eventstats latest(_time) as ticket_end_time| where isnotnull(LAST_RESOLVED_DATE) AND (LAST_RESOLVED_DATE >= ticket_start_time AND LAST_RESOLVED_DATE <= ticket_end_time) | where NOT DETAILED_DECRIPTION like "%bamAudit%" |where STATUS !=6|dedup INCIDENT_NUMBER|chart count(INCIDENT_NUMBER)

but when I am trying to put "ticket_start_time" and "ticket_end_time" in eval expression, it gives me an error in pivot
"Error in 'eval' command: The expression is malformed. "

Any help would be highly appreciated.

Tags (2)
0 Karma
Reply

MuS
Legend
‎12-09-2019 11:13 AM

Hi mogoe2,

eventstats is not an eval function. You can find all eval functions here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Functions

As for your use case, you might have to provide some samples and more detail what it is that you want to achieve.

Hope this helps ...

cheers, MuS

0 Karma
Reply

mogoe2
New Member
‎12-09-2019 11:58 AM

Thanks..
From this query, I am.looking to find out number of incidents which have been resolved by my team during particular duration.
Intent is to create splunk data model and provide it to my team to find themselves incident count.
While creating splunk data model, I.am unable to find how do I use ticket_start_time" and "ticket_end_time" in eval expression as it is only option I have in splunk data model creation. As soon as I go to pivot to analyse my data model, I start getting error "Error in 'eval' command: The expression is malformed".
Hope I have been able to explain.

0 Karma
Reply

MuS
Legend
‎12-09-2019 12:07 PM

As I said eventstats is not an eval function so you need to find another way to create the needed time fields in the datamodel - Sorry.

cheers, MuS

0 Karma
Reply

mogoe2
New Member
‎12-09-2019 10:38 AM

While creating splunk data model, I am using eval expression as
Eval ticket_start_time= eventstats earliest(_time)

Thanks

0 Karma
Reply

aberkow
Builder
‎12-09-2019 07:37 AM

Can you add the eval command line here?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...