Hi all,
I have a saved search containing an eval and a subsearch that seems to work successfully:
source="S2 CentralDHCPLogger" | stats dc(cafe) as Attempt | eval Fail=[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ] | eval Succcess=Attempt-Fail
Attempt Fail Success
518 139 379
However, Splunk 4.2.4 displays the following error message at the top of the screen each time it is run:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ]'.
Most importantly, this error seems to be preventing me from scheduling that saved search... which means I can't execute it ahead of time and use it efficiently in Views/Dashboards.
I have removed pieces of the subsearch one by one and can't seem to isolate what exactly splunk thinks is an unexpected character. I think it is the bracket chars[] but I have reviewed multiple questions on Splunk's forums and have followed examples on how to use a subsearch and eval together, but no one else seems to have this issue. What am I doing wrong?
... View more