[help]eval expression for dynamic field is invalid

cheriemilk · ‎01-14-2020

Hi Team,

I have below appendpipe clause
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")) as end by UserID]

But I got the an error when searching
Error in 'eventstats' command: The eval expression for dynamic field 'eval(if(isnull(mvindex(list_behavior,3))), "step4".mvindex(list_behavior,3), "exit")' is invalid. Error='The operator at ', "Cherie", "exit"' is invalid.'.

I want to judge first that if the index list_behavior[3] exist or not. If exist, keep the original value, if not, fill in with "exist"

What the correct syntax format should be here ?

Best Regards,
Cherie

to4kawa · ‎01-14-2020

....
| appendpipe
[| eventstats first(eval("step3".mvindex(list_behavior,2))) as start, first(eval(if(mvcount(list_behavior)=3, "step4".mvindex(list_behavior,3), "exit"))) as end by UserID]

Hi, @cheriemilk
how about this?

[help]eval expression for dynamic field is invalid

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation

[help]eval expression for dynamic field is invalid

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026