Splunk Search

Error with eval expression using eventstats command in Splunk Datamodel

mogoe2
New Member

Hi,

I want to create below search using splunk DataModel:
index="oqa_pub" sourcetype="idesk_db_inc" |search RESOLVERGROUP="ABC" |eventstats earliest(_time) as ticket_start_time |eventstats latest(_time) as ticket_end_time| where isnotnull(LAST_RESOLVED_DATE) AND (LAST_RESOLVED_DATE >= ticket_start_time AND LAST_RESOLVED_DATE <= ticket_end_time) | where NOT DETAILED_DECRIPTION like "%bamAudit%" |where STATUS !=6|dedup INCIDENT_NUMBER|chart count(INCIDENT_NUMBER)

but when I am trying to put "ticket_start_time" and "ticket_end_time" in eval expression, it gives me an error in pivot
"Error in 'eval' command: The expression is malformed. "

Any help would be highly appreciated.

Tags (2)
0 Karma

MuS
Legend

Hi mogoe2,

eventstats is not an eval function. You can find all eval functions here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Functions

As for your use case, you might have to provide some samples and more detail what it is that you want to achieve.

Hope this helps ...

cheers, MuS

0 Karma

mogoe2
New Member

Thanks..
From this query, I am.looking to find out number of incidents which have been resolved by my team during particular duration.
Intent is to create splunk data model and provide it to my team to find themselves incident count.
While creating splunk data model, I.am unable to find how do I use ticket_start_time" and "ticket_end_time" in eval expression as it is only option I have in splunk data model creation. As soon as I go to pivot to analyse my data model, I start getting error "Error in 'eval' command: The expression is malformed".
Hope I have been able to explain.

0 Karma

MuS
Legend

As I said eventstats is not an eval function so you need to find another way to create the needed time fields in the datamodel - Sorry.

cheers, MuS

0 Karma

mogoe2
New Member

While creating splunk data model, I am using eval expression as
Eval ticket_start_time= eventstats earliest(_time)

Thanks

0 Karma

aberkow
Builder

Can you add the eval command line here?

0 Karma
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...