Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting an eval command error "The arguments to the match function are invalid"?

Taner
Engager
‎07-26-2017 10:36 AM

I would like to create a new panel in my Dashboard and I am using the following search string:

index=$index$ eventId=xy source="zz-json.log" (X-TRACE-ID="PV3*") OR (X-TRACE-ID="IPL*")| dedup X-TRACE-ID |
eval event=case(
match(X-TRACE-ID,"PV3"),"Option1",
match(X-TRACE-ID,"IPL"),"Option2") | chart count by event

Why do I get the error message: Error in "eval" command: The arguments to the „match“ function are invalid.

Could you please help me 😞 ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-26-2017 12:13 PM

You should enclose field names with special characters within single quotes in eval and where clause. Like this

index=$index$ eventId=xy source="zz-json.log" (X-TRACE-ID="PV3*") OR (X-TRACE-ID="IPL*")| dedup X-TRACE-ID | 
eval event=case( 
match('X-TRACE-ID',"PV3"),"Option1", 
match('X-TRACE-ID',"IPL"),"Option2") | chart count by event

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-26-2017 12:13 PM

You should enclose field names with special characters within single quotes in eval and where clause. Like this

index=$index$ eventId=xy source="zz-json.log" (X-TRACE-ID="PV3*") OR (X-TRACE-ID="IPL*")| dedup X-TRACE-ID | 
eval event=case( 
match('X-TRACE-ID',"PV3"),"Option1", 
match('X-TRACE-ID',"IPL"),"Option2") | chart count by event
Reply
Solved! Jump to solution

Taner
Engager
‎07-27-2017 12:14 AM

It is working. Thank you very much 🙂

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎07-26-2017 12:02 PM

The hyphens in your field names cause Splunk to evaluate the field as the expression X minus TRACE minus ID. Try adding | rename X-TRACE-ID as xtraceid after your dedup and use xtraceid in your match expressions and it should work as expected.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎07-26-2017 12:03 PM

response overlap with sbbadri, sorry for the dupe

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎07-26-2017 11:52 AM

try below, i think - in XTRACEID created a issue.

index=$index$ eventId=xy source="zz-json.log" (X-TRACE-ID="PV3*") OR (X-TRACE-ID="IPL*")| dedup X-TRACE-ID | rename X-TRACE-ID as XTRACEID | eval event=case(
match(XTRACEID ,"PV3"),"Option1",
match(XTRACEID ,"IPL"),"Option2") | chart count by event

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...