Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval function weird return

gamification
Explorer
‎08-12-2016 09:30 AM

Hello,

I am doing a search and i know sometimes it will return no results.

index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

Another exemple is my concrete query :

index=gamification  |  spath 
                    | rename gamification.action.name as actionId,
                              gamification.user.id as playerId, 
                              _indextime as date,
                              gamification.origin.name as origin 
                     | where origin="sparxea" 
                     | eval updated=[
                            search index=gamification AND sourcetype = stash 
                            | eval isFailure=if(searchmatch("gamification"),1,0) 
                            | eval updated=if(isFailure =="0",now(),_indextime) 
                            | return $updated ] 
                     | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                     | where date > updated                     
                     | table updated,date,playerId,actionId 
                     |  script python gamification -t playlyfe -c action -m p 
                     | collect index="gamification"

Here i am testing if i have event results in a subsearch, if i have, i take the indextime of the first result, if not, the actual time.
With this search, i got an error : eval dest_key = expression

Here is why i am testing the result count : https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html. This link seemed to be a possible solution to my problem.

At begining, i was doing the subsearsh like this, But it gives me the same error : eval dest_key = expression

 | eval updated=[ search index=gamification AND sourcetype = stash 
                             | eval updated=if( isnotnull( extractfield ),_indextime,now())
                             | return $updated ]

I really need help please. Thanks

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-12-2016 09:52 AM 
  index=gamification AND sourcetype = stash   | eval isFailure!=if(searchmatch("gamification"),1,0) | table isFailure

Why table isFailure never show any results?

because you're != instead of = . Eval is a generating command... in this case your logic is saying... dont generate anything.

You want something like this instead:

  index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

This one fails because of spacing:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype = stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure =="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated = strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      |  script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

Should be like this instead:

 index=gamification  |  spath 
                     | rename gamification.action.name as actionId,
                               gamification.user.id as playerId, 
                               _indextime as date,
                               gamification.origin.name as origin 
                      | where origin="sparxea" 
                      | eval updated=[
                             search index=gamification AND sourcetype=stash 
                             | eval isFailure=if(searchmatch("gamification"),1,0) 
                             | eval updated=if(isFailure=="0",now(),_indextime) 
                             | return $updated ] 
                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S") 
                      | where date > updated                     
                      | table updated,date,playerId,actionId 
                      | script python gamification -t playlyfe -c action -m p 
                      | collect index="gamification"

I fixed spacing here:

                             search index=gamification AND sourcetype=stash

And here:

                             | eval updated=if(isFailure=="0",now(),_indextime)

And here:

                      | eval updated=strftime(updated,"%Y.%m.%d %H:%M.%S")

Same with this one:

  | eval updated=[ search index=gamification AND sourcetype=stash 
                              | eval updated=if(isnotnull(extractfield),_indextime,now())
                              | return $updated ]
0 Karma
Reply

gamification
Explorer
‎08-16-2016 05:06 AM

Actually the problem is in my main query,
sometimes the subsearch return events, sometimes not.
What i want to achieve is depending if i find result or not, it gives me different date.
Here the change i did in the subsearch ( it's what i want to achieve since the begining).

search index=gamification AND sourcetype= stash
                              | eval origin=originUpdate
                              | where origin="sparxea"
                              | eval time = _indextime
                              | eval updated=if(isnull(time),now(),_indextime) 
                              | return $updated

Even if i should always return a date because of this line | eval updated=if(isnull(time),now(),_indextime)
eval function give me error eval dest_key = expression because when no events are found, eval is unable to generate values to return. I can't figure how to do it.

0 Karma
Reply

gamification
Explorer
‎08-15-2016 04:29 AM

Hello ,

I tried your solutions.

index=gamification AND sourcetype = stash   | eval isFailure=if(searchmatch("gamification"),1,0) | table isFailure

It gives me no result found.

The main query with your spacing fixes still give me the same error : eval dest_key = expression

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-15-2016 05:03 AM

I see a space on both sides of your equals ( = ) still. Did you try without that?

I think this is the problem:

| eval isFailure=if(search match("gamification"),1,0)

Should be this instead

| eval isFailure=if(match(gasification,"REGEX"),1,0)

And I don't know your regex. What if you just remove this one eval?

0 Karma
Reply

gamification
Explorer
‎08-12-2016 12:55 PM

Hello,

Thanks for you answer.
I try it soon and give a reply !

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...