Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval fails on save search but works in Flashtimeline.. why ?

john_loch
Explorer
‎11-16-2010 03:36 AM

The following works in the flashtimeline, but as soon as i try to save as search or chart etc it fails.. why ?

index=myindex sourcetype="mylog" FATAL | stats count AS rslt | eval nres = rslt / [search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query] | stats first(nres)

It fails with the following: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query]'.

I have replaced the index and log names with generic names in the sample above, and the actual role of the query is to divide count of fatal errors into the count of pages served a basic quality/load metric)

Thanks.

Tags (2)
Reply

rajiv_kumar
Path Finder
‎05-23-2013 11:47 AM

Is this issue fixed??

0 Karma
Reply

carasso
Splunk Employee
Splunk Employee
‎01-07-2011 12:02 AM

Short answer: this is a bug.

The code to parse searches without running them notes that the subsearch (having not run) is not a valid eval expression.

A bug has been filed (SPL-36704). Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...