Splunk Search

Trying chart of multiple data series wtih tutoriel but error with eval

echozero39
Engager

I am tring to run a chart report followting the exemple from Search manual p.71, I get a field named "Serveur"
index="" sourcetype="" |
stats count(CPU=0) as 0_CPU avg(CPU) as avg_CPU by _time Serveur |
eval s1="CPU_0 avgCPU" |
makemv s1 | mvexpand s1|
eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) |
eval series=Serveur+":"s1 | xyseries _time series yval

but there is an error with that eval in black, it shows "Error in 'eval' command: The expression is malformed. Expected )", but I just can't find where I missed the ")". Thanks for helping me.

Tags (3)
0 Karma
1 Solution

stephanefotso
Motivator

Hello!n I think the error is here: eval series=Serveur+":"s1. Here is what to write: eval series=Serveur+":"+s1
Thanks

SGF

View solution in original post

0 Karma

echozero39
Engager

either

index="" sourcetype="" | 
  stats count(eval(CPU="0")) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
  eval s1="CPU_0 avgCPU" | 
  makemv s1 | mvexpand s1| 
  eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) | 
  eval series=Serveur+":"+s1 | xyseries _time series yval

or

 index="" sourcetype="" | 
  stats count(CPU=0) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
  eval s1="CPU_0 avgCPU" | 
  makemv s1 | mvexpand s1| 
  eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) | 
  eval series=Serveur+":"+s1 | xyseries _time series yval

both having error : Error in 'eval' command: The expression is malformed. Expected ).

Maybe it's a version issue ? I am using 6.2.2, the search manual is 6.3.2

0 Karma

hmozaffari
Path Finder

I still see double quotes missing. I ran the following on 6.2.2 and didn`t get any error:

index="" sourcetype="" | 
   stats count(CPU=0) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
   eval s1="CPU_0 avgCPU" | 
   makemv s1 | mvexpand s1| 
   eval yval=case(s1=="CPU_0","0_CPU",s1=="avgCPU","avg_CPU") | 
   eval series=Serveur+":"+s1 | xyseries _time series yval

eval yval=case(s1=="CPU_0","0_CPU",s1=="avgCPU","avg_CPU") |

0 Karma

echozero39
Engager

that ran without error, but I didn't get the result I want.

In fact, I want to be able to ran this :
index=* sourcetype=* | timechart count(CPU=0) avg(CPU) by Serveur

However, timechart does not support multiple data series, and the exmple of The Search manual shows that I can run a similar search,

this is the original search from the document :
index=application_servers | stats sum(handledRequests) as hRs,
avg(sessions) as ssns by _time,source | eval s1="handledReqs sessions"
| makemv s1 | mvexpand s1 | eval
yval=case(s1=="handledReqs",hRs,s1=="sessions",ssns) | eval
series=source+":"+s1 | xyseries _time,series,yval

I changed it but my search didn't work :
index=* sourcetype="*" |
stats count(CPU=0) as 0_CPU avg(CPU) as avg_CPU by _time Serveur |
eval s1="CPU_0 avgCPU" |
makemv s1 | mvexpand s1|
eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) |
eval series=Serveur+":"+s1 | xyseries _time series yval

Can you help me find out the reason ? Thank you in advance !

0 Karma

stephanefotso
Motivator

OK. I think the problem is that 0_CPU. The name of the field is incorect. It must not start with a digit. Change the name of that field and use for example nulcpu.

index="" sourcetype="" | 
   stats count(eval(CPU="0")) as nulcpu avg(CPU) as avg_CPU by _time Serveur | 
   eval s1="CPU_0 avgCPU" | 
   makemv s1 | mvexpand s1| 
   eval yval=case(s1=="CPU_0",nulcpu,s1=="avgCPU",avg_CPU) | 
   eval series=Serveur+":"+s1 | xyseries _time series yval

I'm sure it will work now.
Thanks.

SGF
0 Karma

echozero39
Engager

thank you so much, that one works...

0 Karma

stephanefotso
Motivator

The answer to accept is the one bellow. I did not received any point

SGF
0 Karma

stephanefotso
Motivator

Hello!n I think the error is here: eval series=Serveur+":"s1. Here is what to write: eval series=Serveur+":"+s1
Thanks

SGF
0 Karma

echozero39
Engager

Thanks for your answer, that was a mistake occurred when I typed the question
The problem is the eval in black anyway,

in fact I did test without the last line and it gave me always:

Error in 'eval' command: The expression is malformed. Expected ).

😞

0 Karma

stephanefotso
Motivator

Here you go:

index="" sourcetype="" | 
stats count(eval(CPU="0")) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
eval s1="CPU_0 avgCPU" | 
makemv s1 | mvexpand s1| 
eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) | 
eval series=Serveur+":"+s1 | xyseries _time series yval
SGF
0 Karma

echozero39
Engager

Thanks again !
But It doesn't work, always the same error.

this eval make the whole command goes wrong : eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU

0 Karma

hmozaffari
Path Finder

You forgot to enclose them with double quote :

eval yval=case(s1="CPU_0","0_CPU",s1="avgCPU","avg_CPU")
0 Karma

echozero39
Engager

That's a copy/paste issue..

index="" sourcetype="" | 
 stats count(eval(CPU="0")) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
 eval s1="CPU_0 avgCPU" | 
 makemv s1 | mvexpand s1| 
 eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) | 
 eval series=Serveur+":"+s1 | xyseries _time series yval

and

index="" sourcetype="" | 
 stats count(CPU=0) as 0_CPU avg(CPU) as avg_CPU by _time Serveur | 
 eval s1="CPU_0 avgCPU" | 
 makemv s1 | mvexpand s1| 
 eval yval=case(s1=="CPU_0",0_CPU,s1=="avgCPU",avg_CPU) | 
 eval series=Serveur+":"+s1 | xyseries _time series yval

both not working in my splunk

0 Karma

stephanefotso
Motivator

OK. I think the problem is that 0_CPU. The name of the field is incorect.. It must not start with a digit. Change the name of that field and use for example nulcpu.

 index="" sourcetype="" | 
  stats count(eval(CPU="0")) as nulcpu avg(CPU) as avg_CPU by _time Serveur | 
  eval s1="CPU_0 avgCPU" | 
  makemv s1 | mvexpand s1| 
  eval yval=case(s1=="CPU_0",nulcpu,s1=="avgCPU",avg_CPU) | 
  eval series=Serveur+":"+s1 | xyseries _time series yval

I'm sure it will work now.
Thanks.

SGF
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...