×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mogoe2
New Member
Member since: ‎12-09-2019
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-09-2019
View All

Re: Error with eval expression using eventstats co...

by in Splunk Search
‎12-09-2019 11:58 AM
‎12-09-2019 11:58 AM
Thanks.. From this query, I am.looking to find out number of incidents which have been resolved by my team during particular duration. Intent is to create splunk data model and provide it to my team to find themselves incident count. While creating splunk data model, I.am unable to find how do I use ticket_start_time" and "ticket_end_time" in eval expression as it is only option I have in splunk data model creation. As soon as I go to pivot to analyse my data model, I start getting error "Error in 'eval' command: The expression is malformed". Hope I have been able to explain. ... View more

Re: Error with eval expression using eventstats co...

by in Splunk Search
‎12-09-2019 10:38 AM
‎12-09-2019 10:38 AM
While creating splunk data model, I am using eval expression as Eval ticket_start_time= eventstats earliest(_time) Thanks ... View more

Error with eval expression using eventstats comman...

by in Splunk Search
‎12-09-2019 05:55 AM
‎12-09-2019 05:55 AM
Hi, I want to create below search using splunk DataModel: index="oqa_pub" sourcetype="idesk_db_inc" |search RESOLVERGROUP="ABC" |eventstats earliest(_time) as ticket_start_time |eventstats latest(_time) as ticket_end_time| where isnotnull(LAST_RESOLVED_DATE) AND (LAST_RESOLVED_DATE >= ticket_start_time AND LAST_RESOLVED_DATE <= ticket_end_time) | where NOT DETAILED_DECRIPTION like "%bamAudit%" |where STATUS !=6|dedup INCIDENT_NUMBER|chart count(INCIDENT_NUMBER) but when I am trying to put "ticket_start_time" and "ticket_end_time" in eval expression, it gives me an error in pivot "Error in 'eval' command: The expression is malformed. " Any help would be highly appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM