[help]eval expression for dynamic field is invalid

cheriemilk · ‎01-14-2020

Hi Team,

I have below appendpipe clause
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")) as end by UserID]

But I got the an error when searching
Error in 'eventstats' command: The eval expression for dynamic field 'eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")' is invalid. Error='The operator at ', "Cherie", "exit"' is invalid.'.

I want to judge first that if the index list_behavior[3] exist or not. If exist, keep the original value, if not, fill in with "exist"

What the correct syntax format should be here ?

Best Regards,
Cherie

to4kawa · ‎01-14-2020

....
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(mvcount(list_behavior)=3, "step4".mvindex(list_behavior,3), "exit"))) as end by UserID]

Hi, @cheriemilk
how about this?

[help]eval expression for dynamic field is invalid

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

[help]eval expression for dynamic field is invalid

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!