[help]eval expression for dynamic field is invalid

cheriemilk · ‎01-14-2020

Hi Team,

I have below appendpipe clause
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")) as end by UserID]

But I got the an error when searching
Error in 'eventstats' command: The eval expression for dynamic field 'eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")' is invalid. Error='The operator at ', "Cherie", "exit"' is invalid.'.

I want to judge first that if the index list_behavior[3] exist or not. If exist, keep the original value, if not, fill in with "exist"

What the correct syntax format should be here ?

Best Regards,
Cherie

to4kawa · ‎01-14-2020

....
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(mvcount(list_behavior)=3, "step4".mvindex(list_behavior,3), "exit"))) as end by UserID]

Hi, @cheriemilk
how about this?

[help]eval expression for dynamic field is invalid

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

[help]eval expression for dynamic field is invalid

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...