https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318021#M95163 <P>The above answers would be correct but you can try this one also.</P> <P>index="index_name" Account_Name=smithjt OR Account_Name=jonestt<BR /> |eval X1=case (like(Account_Name,"%smithjt%"),"John T Smith", like(Account_Name,"jonestt"), "Tom T Jones")<BR /> |table Account_Name, X1</P> Tue, 29 Sep 2020 18:59:21 GMT abhijeet01 2020-09-29T18:59:21Z https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318017#M95159 <P>What am I doing wrong?<BR /> * Account_Name=smithjt OR Account_Name=jonestt*<BR /> |eval X1=case (Account_Name=="smithjt", "John T Smith", Account_Name=="jonestt", "Tom T Jones")<BR /> |table Account_Name, X1</P> <P>I get --- Error in 'eval' command: The expression is malformed. An unexpected character is reached at "Tom T Jones"</P> <P>I have tried replacing == with ==, putting in " marks and taking them out. What is the unexpected character?</P> Tue, 29 Sep 2020 18:54:52 GMT https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318017#M95159 jtitus3 2020-09-29T18:54:52Z https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318018#M95160 <P>there shouldn't be anything wrong.</P> <P><CODE>|makeresults|eval Account_Name="jonestt"|eval X1=case (Account_Name="smithjt", "John T Smith", Account_Name="jonestt", "Tom T Jones")</CODE></P> <P>I did this with both<CODE>==</CODE> and <CODE>=</CODE> and it worked just fine. what version are you on?</P> Mon, 09 Apr 2018 19:00:10 GMT https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318018#M95160 cmerriman 2018-04-09T19:00:10Z https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318019#M95161 <P>Try retyping the query in search bar (OR in notepad and then copy the query).</P> Mon, 09 Apr 2018 19:40:24 GMT https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318019#M95161 somesoni2 2018-04-09T19:40:24Z https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318020#M95162 <P>I think the major problem was that there were two Account_Names but if there is only one Account_Name the search still works well. Spacing seemed to be important and quotes are required.<BR /> * Account_Name=smithja OR Account_Name=jonesst* OR Account_Name=davisgs<BR /> |eval name1=mvindex(Account_Name,0)<BR /> |eval name2=mvindex(Account_Name,1)<BR /> |eval FN1=case(name1==”smitha”, ”John A Smith”,<BR /> name1==”jonesst”, ”Steve T Jones”,<BR /> name1==”jonesst-admin”, ”Steve T Jones”,<BR /> name1==”davisgs”, “Gregg S Davis”)<BR /> |eval FN2=case(name2==”smitha”, ”John A Smith”,<BR /> Name2==”jonesst”, ”Steve T Jones”,<BR /> Name2==”jonesst-admin”, ”Steve T Jones”,<BR /> Name2==”davisgs”, “Gregg S Davis”)<BR /> |table name1, FN1, name2, FN2</P> Tue, 29 Sep 2020 18:59:09 GMT https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318020#M95162 jtitus3 2020-09-29T18:59:09Z https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318021#M95163 <P>The above answers would be correct but you can try this one also.</P> <P>index="index_name" Account_Name=smithjt OR Account_Name=jonestt<BR /> |eval X1=case (like(Account_Name,"%smithjt%"),"John T Smith", like(Account_Name,"jonestt"), "Tom T Jones")<BR /> |table Account_Name, X1</P> Tue, 29 Sep 2020 18:59:21 GMT https://community.splunk.com/t5/Splunk-Search/case-expression-is-malformed/m-p/318021#M95163 abhijeet01 2020-09-29T18:59:21Z