Splunk Search

Eval fails on save search but works in Flashtimeline.. why ?

john_loch
Explorer

The following works in the flashtimeline, but as soon as i try to save as search or chart etc it fails.. why ?

index=myindex sourcetype="mylog" FATAL | stats count AS rslt | eval nres = rslt / [search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query] | stats first(nres)

It fails with the following: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query]'.

I have replaced the index and log names with generic names in the sample above, and the actual role of the query is to divide count of fatal errors into the count of pages served a basic quality/load metric)

Thanks.

Tags (2)

rajiv_kumar
Path Finder

Is this issue fixed??

0 Karma

carasso
Splunk Employee
Splunk Employee

Short answer: this is a bug.

The code to parse searches without running them notes that the subsearch (having not run) is not a valid eval expression.

A bug has been filed (SPL-36704). Thank you.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...