Splunk Search

Problem getting count(eval(. . . from chart command

rgcox1
Communicator

Trying to emulate example given here, but totals always come up zero. Basic search returns over 1,000 events for a 4 hour period, containing 4 eventcodes: 636, 637, 4732, 4733.

"ConfigMgr Remote" |chart count(Eval(EventCode="636")) AS Added, count(Eval(EventCode="637")) AS Removed

Splunk GUI returns: Specified field(s) missing from results: 'Eval(EventCode=636)', 'Eval(EventCode=637)'

Have also tried if, case, and like functions of eval (with & without quoted aurguments):

"ConfigMgr Remote" |chart count(Eval(If EventCode == "636", "1", "0")) AS Added, count(Eval(Case EventCode == "637", 1, EventCode == 4733, 1)) AS Removed, count(Eval(like, Message, "%removed%")) AS Removed2 

Answer here looks promising, but can't get bin and stats to work either.

Final goal, after I get the basic chart to work, is to change to timechart:

"ConfigMgr Remote" |timechart count(Eval(EventCode="636" OR EventCode="4732")) AS Added, count(Eval(EventCode="637" OR EventCode="4733")) AS Removed
Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

eval() needs to be written with a lower-case e, not upper-case E. I believe the same is true of if()

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

eval() needs to be written with a lower-case e, not upper-case E. I believe the same is true of if()

0 Karma

rgcox1
Communicator

Thanks - one day maybe I'll get used to the case sensitivity almost everywhere!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...