Splunk Search

Error The expression is malformed. An unexpected character is reached at '<<ITEM>> triggered only in Splunk v 8.2.2112.1

mlevsh
Builder

Hi,

We are running Splunk on 3 Environments

Env#1 is Splunk Cloud v 8.2.2112.1
Env#2 is Splunk Cloud v 9.0.2208.3
Env#3 is Splunk Enterprise v 9.0.1 

The following SPL successfully runs on Env#2 and Env#3 and produces the expected result:

| makeresults
| eval mvfield=mvappend("1", "2", "3"), total=2
| foreach mode=multivalue mvfield
     [eval total = total + <<ITEM>>]
| table mvfield, total

Result from running above search in Env#2 and Env#3: 

mvfield total

1
2
3
8


Running the exactly same search in Env#1 triggers the ERROR:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<<ITEM>>'.

Any advices on workaround?

Thank you!

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The <<ITEM>> template is new in Splunk 9 and unrecognized in Splunk 8.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The <<ITEM>> template is new in Splunk 9 and unrecognized in Splunk 8.

---
If this reply helps you, Karma would be appreciated.

mlevsh
Builder

@richgalloway
Thank you for the reply! 

Already found that <<ITEM>> token was introduced in first release of v. 9:
So the difference in our EVNs versions is indeed the reason for different behavior.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Foreach

fieldstr<<FIELD>>The whole field name.multifield
matchstr<<MATCHSTR>>The part of the field name that matches the wildcard values in the wildcard field.multifield
matchseg1<<MATCHSEG1>>The part of the field name that matches the first wildcard.multifield
matchseg2<<MATCHSEG2>>The part of the field name that matches the second wildcard.multifield
matchseg3<<MATCHSEG3>>The part of the field name that matches the third wildcard.multifield
itemstr<<ITEM>>Matches each element in a multivalue field or JSON array.multivalue or json_array


<<ITEM>> is not available in last release of version 8
https://docs.splunk.com/Documentation/Splunk/8.2.9/SearchReference/Foreach

Token Description

<<FIELD>>Each time the subsearch is run, the field value substitutes the whole field name for each field you specify in the <field-list>.
<<MATCHSTR>>The part of field name that matches wildcards in the specifier.
<<MATCHSEG1>>The part of field name that matches first wildcard.
<<MATCHSEG2>>The part of field name that matches second wildcard.
<<MATCHSEG3>>The part of field name that matches third wildcard.



0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...