I have a search running fine by itself,
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
but if I put the search as a subsearch in if statement as below
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
],
user)
| table actual_user
it will throw me the errro ""Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'.
I did test to simplify the search and find the problem is the filed name part"USER_NAME_FROM_ACEE"
if I do
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| table user
],
user)
| table actual_user
it works fine, but if I do
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| table USER_NAME_FROM_ACEE
],
user)
| table actual_user
it will throw me the error, which totally does not make sense to me, any suggestion why it is like this?
I find the problem is actually not the field name it is the result subsearch produced or I should say "
| return $USER_NAME_FROM_ACEE
return empty result which cause the search run as
| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user
and it caused error.
find the root cause by adding "format" command at the end of my search
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
| format
I find the problem is actually not the field name it is the result subsearch produced or I should say "
| return $USER_NAME_FROM_ACEE
return empty result which cause the search run as
| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user
and it caused error.
find the root cause by adding "format" command at the end of my search
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
| format
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| eval USER_NAME_FROM_ACEE="\"".USER_NAME_FROM_ACEE."\""
| table USER_NAME_FROM_ACEE
],
user)
| table actual_user
how about this?