topic Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."? in Splunk Search

Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 01:50:52 GMT

Hi All,

When I execute the search below, it works fine:

 index="X" sourcetype="xx" "applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--")

But when integrated with Case condition it fails with error: Error in 'eval' command: The expression is malformed. Expected ).

index="X" sourcetype="xx" "applicationCode: 123"  responseCode=* | eval response_cd=case("applicationCode: 123" "providerCode: AAA" NOT("responseCode: 00" OR "responseCode: SM--" ,"AAA") | timechart count by response_cd usenull=f useother=f

Can some help me please!!!

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

ddrillic — Thu, 07 Jul 2016 02:04:13 GMT

I see in my records something like | eval cat=case(host == "aaaa", "customer", host == "bbbb", "customer").

Can you please give this syntax a try?

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 02:08:51 GMT

That is not delimited with colon so splunk takes enter string as applicationCode: 123.

I tried that earlier no luck.

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

ddrillic — Thu, 07 Jul 2016 02:11:59 GMT

Oh sorry, let me please check more ; -)

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

maciep — Thu, 07 Jul 2016 02:32:03 GMT

I'm confused as to what you're trying to accomplish. What would you expect to end up in the repsonse_cd field after the eval?

To back up a moment, the case statement is used to test multiple conditions and return the value corresponding to the first matching condition. So

eval field = case (condition1,value1, condition2, value2, ..., conditionN, valueN)

For example, if you had a field for operating system called os_ver that contained windows version numbers you might use this to get a corresponding name:

eval os_name = case(os_ver="5.1","xp",os_ver="5.2","2003",os_ver="6.0","Vista",1=1,"unknown")

So what condition are you actually testing and what do you want the result to be?

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

chanmi2 — Thu, 07 Jul 2016 02:41:51 GMT

Could you please try to specify AND in the statement in CASE?

| eval response_cd=case(_raw="*applicationCode: 123*" AND _raw="*providerCode: AAA*" AND _raw!="*responseCode: 00*" AND _raw!="*responseCode: SM--*" ,"AAA", 1==1, "BBB")

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 04:26:39 GMT

I tried the below it didn't worked

| eval response_cd=case(_raw="*applicationCode: 123*"  ,"AAA", 1==1, "BBB")

I removed from case and tried it is getting data

_raw="*applicationCode: 123*"

is it that _raw doesn't work for case?

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Tue, 29 Sep 2020 10:08:56 GMT

I have multiple conditions and value to start with. For testing purpose I have added only one condition

eval response_cd=case(_raw="applicationCode: 123","AAA",_raw="applicationCode: XXX", "BBB") | search response_cd=AAA

Things are working fine if I put directly _raw="applicationCode: 123" in search but when I am trying with if or case condition the data never pops up even if exists.

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

woodcock — Thu, 07 Jul 2016 05:11:12 GMT

Try starting out with this:

... | eval response_cd=case(_raw="*applicationCode: 123*", "AAA",
                            _raw="*applicationCode: XXX"*, "BBB"
                                                   true(), "UNK")
| stats count by response_cd

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 05:53:59 GMT

The Search doesn't work even if it contains the data applicationCode: 123 it never displays

but if I removed case and tried search _raw="applicationCode: 123" I get the data. It's weird.

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

chanmi2 — Thu, 07 Jul 2016 05:56:57 GMT

_raw contains the whole string, need to have *(any character) in the beginning and the end

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 06:02:41 GMT

Yes I tried with start at the beginning and end. It didn't worked

_raw="*applicationCode: 123*"

Re: Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

saradachelluboy — Thu, 07 Jul 2016 06:09:25 GMT

HUhu it worked with few changes

case(match(_raw,"applicationCode: 123"),"AAA",1=1,"UNK")