Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error The expression is malformed. An unexpected character is reached at '<<ITEM>> triggered only in Splunk v 8.2.2112.1

mlevsh
Builder
‎11-10-2022 06:49 AM

Hi,

We are running Splunk on 3 Environments

Env#1 is Splunk Cloud v 8.2.2112.1
Env#2 is Splunk Cloud v 9.0.2208.3
Env#3 is Splunk Enterprise v 9.0.1 

The following SPL successfully runs on Env#2 and Env#3 and produces the expected result:

| makeresults
| eval mvfield=mvappend("1", "2", "3"), total=2
| foreach mode=multivalue mvfield
     [eval total = total + <<ITEM>>]
| table mvfield, total

Result from running above search in Env#2 and Env#3: 

mvfield total

1
2
3
8


Running the exactly same search in Env#1 triggers the ERROR:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<<ITEM>>'.

Any advices on workaround?

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2022 08:22 AM

The <<ITEM>> template is new in Splunk 9 and unrecognized in Splunk 8.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2022 08:22 AM

The <<ITEM>> template is new in Splunk 9 and unrecognized in Splunk 8.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mlevsh
Builder
‎11-10-2022 08:26 AM

@richgalloway
Thank you for the reply! 

Already found that <<ITEM>> token was introduced in first release of v. 9:
So the difference in our EVNs versions is indeed the reason for different behavior.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Foreach

fieldstr<<FIELD>>The whole field name.multifield
matchstr<<MATCHSTR>>The part of the field name that matches the wildcard values in the wildcard field.multifield
matchseg1<<MATCHSEG1>>The part of the field name that matches the first wildcard.multifield
matchseg2<<MATCHSEG2>>The part of the field name that matches the second wildcard.multifield
matchseg3<<MATCHSEG3>>The part of the field name that matches the third wildcard.multifield
itemstr<<ITEM>>Matches each element in a multivalue field or JSON array.multivalue or json_array


<<ITEM>> is not available in last release of version 8
https://docs.splunk.com/Documentation/Splunk/8.2.9/SearchReference/Foreach

Token Description

<<FIELD>>Each time the subsearch is run, the field value substitutes the whole field name for each field you specify in the <field-list>.
<<MATCHSTR>>The part of field name that matches wildcards in the specifier.
<<MATCHSEG1>>The part of field name that matches first wildcard.
<<MATCHSEG2>>The part of field name that matches second wildcard.
<<MATCHSEG3>>The part of field name that matches third wildcard.



0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...