Search code examples
splunksplunk-query

Splunk Query - unexpected failure when using todays date

I have a query that has some conditional evals, when I run it for yesterday it works without errors. But when I run it for todays date, I get an unexpected character error.

this works, querying yesterday

index="some_index" sourcetype="a:b" earliest=-1d@d+16h latest=-1d@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
  [search index="another_index" earliest=-1d@d+16h latest=-1d@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'" 
  | rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
  | return $STUFF ]
  ,"Not Fininshed")

change date to today, the first part works

index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted

change date to today in second search, this DOES NOT WORK

index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
  [search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'" 
  | rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
  | return $STUFF ]
  ,"Not Fininshed")

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"Not Fininshed")'. The search job has failed due to an error. You may be able view the job in the Job Inspector.

Solution

  • When you run the subsearch ("second search" in the OP) by itself does it return something that makes sense in the then clause of an if function? If not then you'll get that error message and you'll need to modify the subsearch to produce valid output.

    One way to do that is by using appendpipe.

    index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
  [search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'" 
  | rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
  | appendpipe [ stats count | eval STUFF="something that works" | where count=0 | fields - count ]
  | return $STUFF ]
  ,"Not Fininshed")