Problem getting count(eval(. . . from chart command

Question

Trying to emulate example given here, but totals always come up zero. Basic search returns over 1,000 events for a 4 hour period, containing 4 eventcodes: 636, 637, 4732, 4733.

"ConfigMgr Remote" |chart count(Eval(EventCode="636")) AS Added, count(Eval(EventCode="637")) AS Removed

Splunk GUI returns: Specified field(s) missing from results: 'Eval(EventCode=636)', 'Eval(EventCode=637)'

Have also tried if, case, and like functions of eval (with & without quoted aurguments):

"ConfigMgr Remote" |chart count(Eval(If EventCode == "636", "1", "0")) AS Added, count(Eval(Case EventCode == "637", 1, EventCode == 4733, 1)) AS Removed, count(Eval(like, Message, "%removed%")) AS Removed2

Answer here looks promising, but can't get bin and stats to work either.

Final goal, after I get the basic chart to work, is to change to timechart:

"ConfigMgr Remote" |timechart count(Eval(EventCode="636" OR EventCode="4732")) AS Added, count(Eval(EventCode="637" OR EventCode="4733")) AS Removed

Accepted Answer

0	`eval()` needs to be written with a lower-case `e`, not upper-case `E`. I believe the same is true of `if()` link answered 08 Dec '10, 07:10 gkanapathy ♦ 26.5k●1●6●22 accept rate: 42% Thanks - one day maybe I'll get used to the case sensitivity almost everywhere! (08 Dec '10, 16:16) rgcox1

Problem getting count(eval(. . . from chart command

Follow this question

Splunk Resources

Related questions