Eval Error In Search Statement

johnboldt · ‎11-15-2010

I'm receiving the following error message on a search: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

The expression is a search macro that takes a string parameter and returns a message based on a regex match using a case statement which uses the match function.

This statement was working at one point, and then I started getting the error. Any ideas?

woodcock · ‎05-26-2015

You are missing an end/right-parenthesis ")" that I highlight in red:

case (
match($message$, "Some Message" ), 500,
match($message$, "Another Message:"), 500,
match($message$, "Yet Another Message:"), 500
)

woodcock · ‎12-21-2015

If this was the problem, do click "Accept" on the answer to close it.

johnboldt · ‎11-16-2010

Also, the "ExtractFriendlyMetricName" listed above is a similar case statement and it works fine.

johnboldt · ‎11-16-2010

Here's the search:

sourcetype="SRCTYPE" hoursago=1 | `InetServiceCallsSearch` | eval Metric=`ExtractFriendlyMetricName(Message)` | eval SLA=`GetActivitySLA(Message)` | stats count as "Count", avg(elapsedTime) as "Average", p95(elapsedTime) as "95th Percentile", max(SLA) as "SLA" by Metric

The eval that's blowing up is GetActivitySLA, listed below:

case (
match($message$, "Some Message", 500,
match($message$, "Another Message:"), 500, 
match($message$, "Yet Another Message:"), 500
)

If I extract the macro body and place it directly into the search it works fine:

eval SLA=case (...)

sideview · ‎11-15-2010

Agreed with southeringtonp - please post the search and also the macros it uses.

southeringtonp · ‎11-15-2010

Posting the actual search would go a long way toward getting a useful answer. Please edit your question above to provide more detail.

Eval Error In Search Statement

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor