Hi all,
I have a saved search containing an eval and a subsearch that seems to work successfully:
source="S2 CentralDHCPLogger" | stats dc(cafe) as Attempt | eval Fail=[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ] | eval Succcess=Attempt-Fail
Attempt Fail Success
518 139 379
However, Splunk 4.2.4 displays the following error message at the top of the screen each time it is run:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ]'.
Most importantly, this error seems to be preventing me from scheduling that saved search... which means I can't execute it ahead of time and use it efficiently in Views/Dashboards.
I have removed pieces of the subsearch one by one and can't seem to isolate what exactly splunk thinks is an unexpected character. I think it is the bracket chars[] but I have reviewed multiple questions on Splunk's forums and have followed examples on how to use a subsearch and eval together, but no one else seems to have this issue. What am I doing wrong?
I am not sure why it isn't now (or rather was earlier) working but the proper way to do what you are doing is with the appendcols
command. This should work fine for you everywhere:
source="S2 CentralDHCPLogger" | stats dc(cafe) as Attempt | appendcols [ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail ] | eval Succcess=Attempt-Fail