Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Eval function weird return

gamification
Explorer
‎08-12-2016 09:30 AM

Hello,

I am doing a search and i know sometimes it will return no results.

index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

Another exemple is my concrete query :

index=gamification  |  spath 
                    | rename gamification.action.name as actionId,
                              gamification.user.id as playerId, 
                              _indextime as date,
                              gamification.origin.name as origin 
                     | where origin="sparxea" 
                     | eval updated=[
                            search index=gamification AND sourcetype = stash 
                            | eval isFailure=if(searchmatch("gamification"),1,0) 
                            | eval updated=if(isFailure =="0",now(),_indextime) 
                            | return $updated ] 
                     | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                     | where date > updated                     
                     | table updated,date,playerId,actionId 
                     |  script python gamification -t playlyfe -c action -m p 
                     | collect index="gamification"

Here i am testing if i have event results in a subsearch, if i have, i take the indextime of the first result, if not, the actual time.
With this search, i got an error : eval dest_key = expression

Here is why i am testing the result count : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html. This link seemed to be a possible solution to my problem.

At begining, i was doing the subsearsh like this, But it gives me the same error : eval dest_key = expression

 | eval updated=[ search index=gamification AND sourcetype = stash 
                             | eval updated=if( isnotnull( extractfield ),_indextime,now())
                             | return $updated ]

I really need help please. Thanks

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-12-2016 09:52 AM 
  index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

because you're != instead of = . Eval is a generating command... in this case your logic is saying... dont generate anything.

You want something like this instead:

  index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

This one fails because of spacing:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype = stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure =="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      |  script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

Should be like this instead:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype=stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure=="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      | script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

I fixed spacing here:

                             search index=gamification AND sourcetype=stash

And here:

                             | eval updated=if(isFailure=="0",now(),_indextime)

And here:

                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S")

Same with this one:

  | eval updated=[ search index=gamification AND sourcetype=stash 
                              | eval updated=if(isnotnull(extractfield),_indextime,now())
                              | return $updated ]
0 Karma
Reply

gamification
Explorer
‎08-16-2016 05:06 AM

Actually the problem is in my main query,
sometimes the subsearch return events, sometimes not.
What i want to achieve is depending if i find result or not, it gives me different date.
Here the change i did in the subsearch ( it's what i want to achieve since the begining).

search index=gamification AND sourcetype= stash
                              | eval origin=originUpdate
                              | where origin="sparxea"
                              | eval time = _indextime
                              | eval updated=if(isnull(time),now(),_indextime) 
                              | return $updated

Even if i should always return a date because of this line | eval updated=if(isnull(time),now(),_indextime)
eval function give me error eval dest_key = expression because when no events are found, eval is unable to generate values to return. I can't figure how to do it.

0 Karma
Reply

gamification
Explorer
‎08-15-2016 04:29 AM

Hello ,

I tried your solutions.

index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

It gives me no result found.

The main query with your spacing fixes still give me the same error : eval dest_key = expression

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-15-2016 05:03 AM

I see a space on both sides of your equals ( = ) still. Did you try without that?

I think this is the problem:

| eval isFailure=if(search match("gamification"),1,0)

Should be this instead

| eval isFailure=if(match(gasification,"REGEX"),1,0)

And I don't know your regex. What if you just remove this one eval?

0 Karma
Reply

gamification
Explorer
‎08-12-2016 12:55 PM

Hello,

Thanks for you answer.
I try it soon and give a reply !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...