About fabriziorti

fabriziorti · ‎05-23-2019

Great suggestions @goodair! Thanks

fabriziorti · ‎05-23-2019

Thank you to both @DavidHourani and @goodair for your replies. Although I would like to see more explanation why eval is not producing a result, I understand that sometimes an expression just does not evaluate to anything. No

fabriziorti · ‎05-22-2019

Hmm, thanks for your good points, but "looking at my data" doesn't really answer my question. Errors are made, especially when we start with Splunk. Having some sort of feedback like "cannot apply the '+' operator over a multi-value" would have helped me.

fabriziorti · ‎05-21-2019

I'm new to Splunk, and I am trying to figure out how the eval command works in searches. Sometimes I don't get any result, but no errors/warnings are generated (not even on any log files I can see). How do I troubleshoot an 'eval' that does not produce anything? For example, I was using a simple expression like: sourcetype="rti_avdemo" | eval foo=action+1 | table action, foo where I thought 'action' was a number. That did not produce anything. Then I figured out that 'action' is a multi-value. In this case, eval does not produce anything, and I get no errors, warnings. How can I get some information that can help me ? Thanks! Fab

Posts	4
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎05-20-2019

Online Status	Offline
Date Last Visited	‎10-19-2023 12:41 PM

How to troubleshoot eval expressions?

Re: How to troubleshoot eval expressions?

Re: How to troubleshoot eval expressions?

Re: How to troubleshoot eval expressions?

How to troubleshoot eval expressions?