topic Re: edit fields with eval expressions in Splunk Search

edit fields with eval expressions

jerm1020rq — Fri, 18 Dec 2020 16:35:44 GMT

I am receiving an error of "The expression is malformed. Expected IN." any time we search utilizing the web data model. When i remove this eval expression 'if(act="File quarantined","blocked",action)' the search works fine so I am assuming that this is the problem child. does anyone see anything inherently wrong with this expression?

Re: edit fields with eval expressions

nickhills — Fri, 18 Dec 2020 17:15:49 GMT

try changing it to

if(action="File quarantined","blocked",action)

That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was

if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )

Re: edit fields with eval expressions

jerm1020rq — Fri, 18 Dec 2020 17:39:49 GMT

I appreciate the reply, unfortunately it did not work. There are 2 eval expressions seen as below. Does there need to be something in between? Thank you !

if(isnull(action) OR action="","unknown",action)
if(act="File quarantined","blocked",action)

Re: edit fields with eval expressions

nickhills — Fri, 18 Dec 2020 17:48:27 GMT

Where are you seeing this? Inside the web datamodel?

In which case, the action field should look like this (see attached)

If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s.

case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)