Solved: Why i am getting Error in 'eval' command: The expr...

vasanthi77 · ‎04-28-2019

Hi all ,

I am trying to configure alert for data replication in cluster manger. Using below query , getting "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'. "

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=\"$group$\" /services/cluster/master/generation/master

| fields pending_last_reason, search_factor_met, replication_factor_met

| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== \"1\", \"icon-check\", \"icon-alert\")

| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason==\"\", \"All Data is Searchable\", \"Some Data is Not Searchable\")

| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == \"1\", \"icon-check\", \"icon-alert\")

| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == \"1\", \"Search Factor is Met\", \"Search Factor is Not Met\")

| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == \"1\", \"icon-check\", \"icon-alert\")

| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == \"1\", \"Replication Factor is Met\", \"Replication Factor is Not Met\")

can some one please help me here

Thanks in advance

woodcock · ‎04-29-2019

Try this:

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert") 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable") 
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert") 
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met") 
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert") 
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")

When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search OR edit the panel in GUI mode (NOT XML) and then click the Magnifying Glass icon to Edit search and copy it from there. If you copy it from XML edit, you will have these kinds of problems.

View solution in original post

woodcock · ‎04-29-2019

Try this:

| rest splunk_server_group=dmc_group_cluster_master splunk_server_group=* /services/cluster/master/generation/master
| fields pending_last_reason, search_factor_met, replication_factor_met
| eval all_data_searchable_icon = if(isnull(pending_last_reason) or pending_last_reason== "1", "icon-check", "icon-alert") 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable") 
| eval search_factor_met_icon = if(search_factor_met == 1 or search_factor_met == "1", "icon-check", "icon-alert") 
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met") 
| eval replication_factor_met_icon = if(replication_factor_met == 1 or replication_factor_met == "1", "icon-check", "icon-alert") 
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")

When extracting a search from a dashboard panel, EITHER use the Magnifying Glass icon to Open in search OR edit the panel in GUI mode (NOT XML) and then click the Magnifying Glass icon to Edit search and copy it from there. If you copy it from XML edit, you will have these kinds of problems.

Why i am getting Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'.

Splunk Answers Content Calendar, July Edition I

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Are you a member of the Splunk Community?

Why i am getting Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"1\", \"icon-check\", \"icon-alert\")'.

Splunk Answers Content Calendar, July Edition I

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM