Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval fails on save search but works in Flashtimeline.. why ?

john_loch
Explorer
‎11-16-2010 03:36 AM

The following works in the flashtimeline, but as soon as i try to save as search or chart etc it fails.. why ?

index=myindex sourcetype="mylog" FATAL | stats count AS rslt | eval nres = rslt / [search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query] | stats first(nres)

It fails with the following: SearchException: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[search index="myotherindex" sourcetype="myotherlog" "r=" "f=" | stats count as query]'.

I have replaced the index and log names with generic names in the sample above, and the actual role of the query is to divide count of fatal errors into the count of pages served a basic quality/load metric)

Thanks.

Tags (2)
Reply

rajiv_kumar
Path Finder
‎05-23-2013 11:47 AM

Is this issue fixed??

0 Karma
Reply

carasso
Splunk Employee
Splunk Employee
‎01-07-2011 12:02 AM

Short answer: this is a bug.

The code to parse searches without running them notes that the subsearch (having not run) is not a valid eval expression.

A bug has been filed (SPL-36704). Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...