topic Re: [Resolved]Splunk eval - Error in 'eval' command: The expression is malformed. in Splunk Search

[Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

cheriemilk — Thu, 05 Dec 2019 03:22:20 GMT

Hi team,

I got error 'Error in 'eval' command: The expression is malformed. ' when running below query. Guess it's because the double quote in the the source log. How to get rid of this?

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN="Jessica" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID="EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1" AGN="\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3="\[tsv2##jobinfo\]" C_ktf4="\[gender,location\]" C_if1="21" C_ktf2="\[Background_Criteria,Profile_Criteria\]" C_bf1="false" C_bf2="false" "
| makemv delim=";" log 
| mvexpand log 
| rex field=log "ktf2=\"\[(?P(.*))\"\]" 
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2

Re: [Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

vnravikumar — Thu, 05 Dec 2019 03:37:43 GMT

Try with escaping double quote

| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B* TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"[tsv2##jobinfo]\" C_ktf4=\"[gender,location]\" C_if1=\"21\" C_ktf2=\"[Background_Criteria,Profile_Criteria]\" C_bf1=\"false\" C_bf2=\"false\" "

Re: [Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

cheriemilk — Thu, 05 Dec 2019 08:20:18 GMT

@vnravikumar , Thank you and it works

Re: [Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

woodcock — Thu, 05 Dec 2019 16:07:51 GMT

Missed it by >that< much; you need to escape your double-quotes among other minor problems; try this:

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"\[tsv2##jobinfo\]\" C_ktf4=\"\[gender,location\]\" C_if1=\"21\" C_ktf2=\"\[Background_Criteria,Profile_Criteria\]\" C_bf1=\"false\" C_bf2=\"false\""
| makemv delim=";" log 
| mvexpand log 
| rename log AS _raw
| kv
| table C_ktf2
| rename C_ktf2 AS ktf2
| rex field=ktf2 mode=sed "s/\\\\\[|\\\\\]//g"
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2