eval assigns value based on subsearch, but says ex...

nuttervm · ‎04-03-2012

Hi all,

I have a saved search containing an eval and a subsearch that seems to work successfully:

source="S2 CentralDHCPLogger" | stats dc(cafe) as Attempt | eval Fail=[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ] | eval Succcess=Attempt-Fail

Attempt Fail Success
518     139  379

However, Splunk 4.2.4 displays the following error message at the top of the screen each time it is run:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail | rename Fail AS query ]'.

Most importantly, this error seems to be preventing me from scheduling that saved search... which means I can't execute it ahead of time and use it efficiently in Views/Dashboards.

I have removed pieces of the subsearch one by one and can't seem to isolate what exactly splunk thinks is an unexpected character. I think it is the bracket chars[] but I have reviewed multiple questions on Splunk's forums and have followed examples on how to use a subsearch and eval together, but no one else seems to have this issue. What am I doing wrong?

woodcock · ‎07-04-2015

I am not sure why it isn't now (or rather was earlier) working but the proper way to do what you are doing is with the appendcols command. This should work fine for you everywhere:

 source="S2 CentralDHCPLogger" | stats dc(cafe) as Attempt | appendcols [ search source="S2 CentralDHCPLogger" "Giving up" | stats distinct_count(cafe) AS Fail ] | eval Succcess=Attempt-Fail

eval assigns value based on subsearch, but says expression is malformed

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk