Splunk Search

Eval Error In Search Statement

johnboldt
Explorer

I'm receiving the following error message on a search: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

The expression is a search macro that takes a string parameter and returns a message based on a regex match using a case statement which uses the match function.

This statement was working at one point, and then I started getting the error. Any ideas?

Tags (1)
0 Karma

woodcock
Esteemed Legend

You are missing an end/right-parenthesis ")" that I highlight in red:

case (
match($message$, "Some Message" ), 500,
match($message$, "Another Message:"), 500,
match($message$, "Yet Another Message:"), 500
)

0 Karma

woodcock
Esteemed Legend

If this was the problem, do click "Accept" on the answer to close it.

0 Karma

johnboldt
Explorer

Also, the "ExtractFriendlyMetricName" listed above is a similar case statement and it works fine.

0 Karma

johnboldt
Explorer

Here's the search:

sourcetype="SRCTYPE" hoursago=1 | `InetServiceCallsSearch` | eval Metric=`ExtractFriendlyMetricName(Message)` | eval SLA=`GetActivitySLA(Message)` | stats count as "Count", avg(elapsedTime) as "Average", p95(elapsedTime) as "95th Percentile", max(SLA) as "SLA" by Metric

The eval that's blowing up is GetActivitySLA, listed below:

case (
match($message$, "Some Message", 500,
match($message$, "Another Message:"), 500, 
match($message$, "Yet Another Message:"), 500
)

If I extract the macro body and place it directly into the search it works fine:

eval SLA=case (...)
0 Karma

sideview
SplunkTrust
SplunkTrust

Agreed with southeringtonp - please post the search and also the macros it uses.

0 Karma

southeringtonp
Motivator

Posting the actual search would go a long way toward getting a useful answer. Please edit your question above to provide more detail.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...