Solved: Where clause has syntax error?

wangkevin1029 · ‎01-21-2022

Hi, Splunkers,

| where ENT_CallType=if($t_VQ$ =="*","*",ltrim($t_VQ$,"VQ_"))

t_VQ is a dropdown token, value is either ALL/* or VQ_abc_efg (string starting with VQ_)

what my code expected is

when t_VQ = *, then |where ENT_CallType=*

when t_VQ = VQ_abc_efg, then |where ENT_CallType=abc_efg

but when I selected ALL/*， has the following error

Error in ‘where’ command: The expression is malformed. An unexpected character is reached at ‘* == “*”,”*”, ltrim(*,”VQ_”)

when VQ_abc_efg is selected, doesn't work either.

thx in advance

Kevin

acharlieh · ‎01-21-2022

No worries, but that distinction doesn't materially change the answer 🙂

| where ENT_CallType=if(* =="*","*",ltrim(*,"VQ_"))

is just as syntactically wrong as what I thought your token value was ... Do the same exercise and you get ... " if (multiplication operator) is equal to ... " which doesn't make sense.

View solution in original post

acharlieh · ‎01-21-2022

When you use tokens in dashboards they don't behave like variables, they behave more like #define macros in C... the literal value gets dropped into place where used prior to evaluation. (Ok this is an oversimplification, but when they're in your search strings... )

In the case that when your token has the value ALL/* then your where clause reads:

| where ENT_CallType=if(ALL/* =="*","*",ltrim(ALL/*,"VQ_"))

To parse that statement in words where the field ENT_CallType has a value equal to ... if ( value of the field ALL divided by multiplied by ... And we've stopped making sense, thus we call it a syntax error when we reach the * coming from your token value.

With the value VQ_abc_efg you don't wind up with the same syntax problem, but you do wind up with something that is obviously not what you were intending:

| where ENT_CallType=if(VQ_abc_efg =="*","*",ltrim(VQ_abc_efg ,"VQ_"))

Again turning this into words, I'm looking in my results for a field called ENT_CallType, and seeing if it's equal to * when the field named VQ_abc_efg has the value *, otherwise the value of the field VQ_abc_efg removing VQ_ from the front of it...

I suspect you want to read up on Syntax to consume tokens , in particular $tokenname|s$ where your token value gets wrapped in double quotes before it gets inserted (and also helps with escaping quotations within the token value too). There are a few other hints around tokens there too.

wangkevin1029 · ‎01-21-2022

it looks I should use $t_VQ|s$, instead of $t_VQ$, will do more testing.

Kevin

wangkevin1029 · ‎01-21-2022

acharlieh，

sorry for misleading your,

ALL/* here means label/value, when ALL is selected, value is *.

same thing, VQ_abc_efg is also the value of token.

Kevin

acharlieh · ‎01-21-2022

No worries, but that distinction doesn't materially change the answer 🙂

| where ENT_CallType=if(* =="*","*",ltrim(*,"VQ_"))

is just as syntactically wrong as what I thought your token value was ... Do the same exercise and you get ... " if (multiplication operator) is equal to ... " which doesn't make sense.

wangkevin1029 · ‎01-21-2022

thx, the documentation link you sent reminded me of $t_VB|s$,

now, I run into a similar issue.

how to concatenate a field with a token.

like the following where clause, ENT_CallType is a field, t_CallType is token,

using . (dot) to do concatenation doesn't work, I also tried ENT_CallType + $t_CallType|s$, it doesn't work either.

| where ENT_CallType=if($t_CallType|s$ == "*",ENT_CallType,ENT_CallType.$t_CallType|s$)

Kevin

wangkevin1029 · ‎01-21-2022

it works when I selected VQ_abc_efg, but when ALL/* is selected, still not working.

Kevin

Where clause has syntax error?

other

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk