Hi all ,
I am trying to configure alert for data replication in cluster manger. Using below query , getting "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'. "
| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=\"$group$\" /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== \"1\", \"icon-check\", \"icon-alert\")
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason==\"\", \"All Data is Searchable\", \"Some Data is Not Searchable\")
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == \"1\", \"icon-check\", \"icon-alert\")
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == \"1\", \"Search Factor is Met\", \"Search Factor is Not Met\")
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == \"1\", \"icon-check\", \"icon-alert\")
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == \"1\", \"Replication Factor is Met\", \"Replication Factor is Not Met\")
can some one please help me here
Thanks in advance
Try this:
| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert")
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable")
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert")
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met")
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert")
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")
When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search
OR edit the panel in GUI
mode (NOT XML
) and then click the Magnifying Glass icon to Edit search
and copy it from there. If you copy it from XML
edit, you will have these kinds of problems.
Try this:
| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert")
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable")
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert")
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met")
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert")
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")
When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search
OR edit the panel in GUI
mode (NOT XML
) and then click the Magnifying Glass icon to Edit search
and copy it from there. If you copy it from XML
edit, you will have these kinds of problems.