Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval fails on save search but works in Flashtimeline.. why ?

john_loch
Explorer
‎11-16-2010 03:36 AM

The following works in the flashtimeline, but as soon as i try to save as search or chart etc it fails.. why ?

index=myindex sourcetype="mylog" FATAL | stats count AS rslt | eval nres = rslt / [search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query] | stats first(nres)

It fails with the following: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query]'.

I have replaced the index and log names with generic names in the sample above, and the actual role of the query is to divide count of fatal errors into the count of pages served a basic quality/load metric)

Thanks.

Tags (2)
Reply

rajiv_kumar
Path Finder
‎05-23-2013 11:47 AM

Is this issue fixed??

0 Karma
Reply

carasso
Splunk Employee
Splunk Employee
‎01-07-2011 12:02 AM

Short answer: this is a bug.

The code to parse searches without running them notes that the subsearch (having not run) is not a valid eval expression.

A bug has been filed (SPL-36704). Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...