Re: Help with passing search result to eval failin...

dhivyamu · ‎11-07-2019

I'm trying you create a variable out of a search result using eval.

This works fine, I get a single row, and a column with error lines:

search index=sap_log_index message_type="E" | eventstats list(message_text) as errorLines | nomv errorLines | dedup errorLines | table errorLines

But the below search fails with malformed exception:

index="sap_idoc_index" | eval errorLines=[search index=sap_log_index message_type="E" | eventstats list(message_text) as errorLines | nomv errorLines | dedup errorLines | return $errorLines] | eval error_msg = if(Status=="41", errorLines, ""), status =  if(Status=="41", "Failed", "Success") | table idoc_number, status, error_msg

harishalipaka · ‎11-08-2019

@dhivyamu

index="_internal" |head 1| eval errorLines= 
     [ search index=_internal  
     | stats count(source) as errorLines 
     |return $errorLines] ,Status=41| eval error_msg = if(Status=="41", errorLines, ""), status = if(Status=="41", "Failed", "Success") 
 | table errorLines, status, error_msg,Status

Thanks
Harish

arjunpkishore5 · ‎11-07-2019

This is what you need

index="sap_idoc_index" 
| eval errorLines= 
    [ search index=sap_log_index message_type="E" 
    | stats values(message_text) as errorLines 
    |return $errorLines] 
| eval error_msg = if(Status=="41", errorLines, ""), status = if(Status=="41", "Failed", "Success") 
| table idoc_number, status, error_msg

dhivyamu · ‎11-07-2019

Thank you, this is so neat. But I still get the same error. The search works fine outside but doesn't fits in eval though it returns a single value 😞

Help with passing search result to eval failing

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Help with passing search result to eval failing

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard