Splunk Search

Eval Error In Search Statement

johnboldt
Explorer

I'm receiving the following error message on a search: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

The expression is a search macro that takes a string parameter and returns a message based on a regex match using a case statement which uses the match function.

This statement was working at one point, and then I started getting the error. Any ideas?

Tags (1)
0 Karma

woodcock
Esteemed Legend

You are missing an end/right-parenthesis ")" that I highlight in red:

case (
match($message$, "Some Message" ), 500,
match($message$, "Another Message:"), 500,
match($message$, "Yet Another Message:"), 500
)

0 Karma

woodcock
Esteemed Legend

If this was the problem, do click "Accept" on the answer to close it.

0 Karma

johnboldt
Explorer

Also, the "ExtractFriendlyMetricName" listed above is a similar case statement and it works fine.

0 Karma

johnboldt
Explorer

Here's the search:

sourcetype="SRCTYPE" hoursago=1 | `InetServiceCallsSearch` | eval Metric=`ExtractFriendlyMetricName(Message)` | eval SLA=`GetActivitySLA(Message)` | stats count as "Count", avg(elapsedTime) as "Average", p95(elapsedTime) as "95th Percentile", max(SLA) as "SLA" by Metric

The eval that's blowing up is GetActivitySLA, listed below:

case (
match($message$, "Some Message", 500,
match($message$, "Another Message:"), 500, 
match($message$, "Yet Another Message:"), 500
)

If I extract the macro body and place it directly into the search it works fine:

eval SLA=case (...)
0 Karma

sideview
SplunkTrust
SplunkTrust

Agreed with southeringtonp - please post the search and also the macros it uses.

0 Karma

southeringtonp
Motivator

Posting the actual search would go a long way toward getting a useful answer. Please edit your question above to provide more detail.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...