Splunk Search

Eval function weird return

gamification
Explorer

Hello,

I am doing a search and i know sometimes it will return no results.

index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

Another exemple is my concrete query :

index=gamification  |  spath 
                    | rename gamification.action.name as actionId,
                              gamification.user.id as playerId, 
                              _indextime as date,
                              gamification.origin.name as origin 
                     | where origin="sparxea" 
                     | eval updated=[
                            search index=gamification AND sourcetype = stash 
                            | eval isFailure=if(searchmatch("gamification"),1,0) 
                            | eval updated=if(isFailure =="0",now(),_indextime) 
                            | return $updated ] 
                     | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                     | where date > updated                     
                     | table updated,date,playerId,actionId 
                     |  script python gamification -t playlyfe -c action -m p 
                     | collect index="gamification"

Here i am testing if i have event results in a subsearch, if i have, i take the indextime of the first result, if not, the actual time.
With this search, i got an error : eval dest_key = expression

Here is why i am testing the result count : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html. This link seemed to be a possible solution to my problem.

At begining, i was doing the subsearsh like this, But it gives me the same error : eval dest_key = expression

 | eval updated=[ search index=gamification AND sourcetype = stash 
                             | eval updated=if( isnotnull( extractfield ),_indextime,now())
                             | return $updated ] 

I really need help please. Thanks

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust
  index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

because you're != instead of = . Eval is a generating command... in this case your logic is saying... dont generate anything.

You want something like this instead:

  index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

This one fails because of spacing:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype = stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure =="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      |  script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

Should be like this instead:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype=stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure=="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      | script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

I fixed spacing here:

                             search index=gamification AND sourcetype=stash 

And here:

                             | eval updated=if(isFailure=="0",now(),_indextime) 

And here:

                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") 

Same with this one:

  | eval updated=[ search index=gamification AND sourcetype=stash 
                              | eval updated=if(isnotnull(extractfield),_indextime,now())
                              | return $updated ] 
0 Karma

gamification
Explorer

Actually the problem is in my main query,
sometimes the subsearch return events, sometimes not.
What i want to achieve is depending if i find result or not, it gives me different date.
Here the change i did in the subsearch ( it's what i want to achieve since the begining).

search index=gamification AND sourcetype= stash
                              | eval origin=originUpdate
                              | where origin="sparxea"
                              | eval time = _indextime
                              | eval updated=if(isnull(time),now(),_indextime) 
                              | return $updated

Even if i should always return a date because of this line | eval updated=if(isnull(time),now(),_indextime)
eval function give me error eval dest_key = expression because when no events are found, eval is unable to generate values to return. I can't figure how to do it.

0 Karma

gamification
Explorer

Hello ,

I tried your solutions.

index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

It gives me no result found.

The main query with your spacing fixes still give me the same error : eval dest_key = expression

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see a space on both sides of your equals ( = ) still. Did you try without that?

I think this is the problem:

| eval isFailure=if(search match("gamification"),1,0)

Should be this instead

| eval isFailure=if(match(gasification,"REGEX"),1,0)

And I don't know your regex. What if you just remove this one eval?

0 Karma

gamification
Explorer

Hello,

Thanks for you answer.
I try it soon and give a reply !

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...