Solved: Why i am getting Error in 'eval' command: The expr...

vasanthi77 · ‎04-28-2019

Hi all ,

I am trying to configure alert for data replication in cluster manger. Using below query , getting "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'. "

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=\"$group$\" /services/cluster/master/generation/master

| fields pending_last_reason, search_factor_met, replication_factor_met

| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== \"1\", \"icon-check\", \"icon-alert\")

| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason==\"\", \"All Data is Searchable\", \"Some Data is Not Searchable\")

| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == \"1\", \"icon-check\", \"icon-alert\")

| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == \"1\", \"Search Factor is Met\", \"Search Factor is Not Met\")

| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == \"1\", \"icon-check\", \"icon-alert\")

| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == \"1\", \"Replication Factor is Met\", \"Replication Factor is Not Met\")

can some one please help me here

Thanks in advance

woodcock · ‎04-29-2019

Try this:

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert") 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable") 
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert") 
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met") 
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert") 
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")

When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search OR edit the panel in GUI mode (NOT XML) and then click the Magnifying Glass icon to Edit search and copy it from there. If you copy it from XML edit, you will have these kinds of problems.

View solution in original post

woodcock · ‎04-29-2019

Try this:

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert") 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable") 
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert") 
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met") 
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert") 
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")

When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search OR edit the panel in GUI mode (NOT XML) and then click the Magnifying Glass icon to Edit search and copy it from there. If you copy it from XML edit, you will have these kinds of problems.

Why i am getting Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation