Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'eval' command (Expected IN) when using filter time token in dbxquery

Julia1231
Communicator
‎11-29-2022 02:42 AM

Hi everyone,

I want to create a Dashboard where the time filter (a customize, no preset by Splunk) will effect the result in the table.

Data from table comes from a database, so I use dbxquery.

When I run  the script below, I get an error: 
Error in 'eval' command: The expression is malformed. Expected IN.

I have no idea what is wrong, anyone has an idea please?

| dbxquery connection="connection_name"
[| makeresults
| eval time1 = tostring("-2h@h")
| eval time2 = tostring("@h")
| eval time2 = if(time2=="", now(), time2)
| eval time1 = if(time2=="now", relative_time(now(), time1), time1)
| eval time2 = if(time2=="now", now(), time2)
| eval time1 = if(match(time1,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time1), time1)
| eval time2 = if(match(time2,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time2), time2)
| eval time1 = strftime(time1, "%Y-%m-%d %H:%M:%S")
| eval time2 = strftime(time2, "%Y-%m-%d %H:%M:%S")
| eval query = "SELECT * FROM "catalog"."schema"."table" WHERE date_time BETWEEN '" . time1 . "' AND '" . time2 . "' "
| return query]

Thanks a lot.

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2022 03:42 AM

I must say that if it runs as it is written, I'm surprised since the quotes in the query parameters are obviously off. But indeed if I paste it into my splunk it fails not on the command parsing phase but on the execution (which is understandable since I don't have any db connections configured).

But anyway.

Just run the subsearch itself

| makeresults
| eval time1 = tostring("-2h@h")
| eval time2 = tostring("@h")
| eval time2 = if(time2=="", now(), time2)
| eval time1 = if(time2=="now", relative_time(now(), time1), time1)
| eval time2 = if(time2=="now", now(), time2)
| eval time1 = if(match(time1,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time1), time1)
| eval time2 = if(match(time2,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time2), time2)
| eval time1 = strftime(time1, "%Y-%m-%d %H:%M:%S")
| eval time2 = strftime(time2, "%Y-%m-%d %H:%M:%S")
| eval query = "SELECT * FROM "catalog"."schema"."table" WHERE date_time BETWEEN '" . time1 . "' AND '" . time2 . "' "
| return query

And you will see that it fails.

Try to trim it to see which command is the culprit. (I already showed you that).

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2022 02:48 AM

Firstly, if you have such problem, try to narrow the scope of your search to find where exactly the error is.

In your case - get the subsearch "out" of the main search and try to run it independently. See what the results are and whether they match the expected format for supplying into the main search.

Secondly - if you copy-pasted the search as you run it - it won't fly.

 eval query = "SELECT * FROM "catalog"."schema"."table" WHERE date_time BETWEEN '" . time1 . "' AND '" . time2 . "' "

 This one has broken quotes.

0 Karma
Reply
Solved! Jump to solution

Julia1231
Communicator
‎11-29-2022 03:19 AM

Hi @PickleRick 

Thanks for your feedback.

I tried this part, it shows result as expected:

|dbxquery connection="DBconnection" query="SELECT * FROM "catalog"."schema"."table" WHERE date_time BETWEEN NOW() - INTERVAL '2 HOURS' AND NOW() "

But when I put it back into the subsearch as the beginning, it shows again the error. 

I don't know if that's what you are talking about?

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2022 03:42 AM

I must say that if it runs as it is written, I'm surprised since the quotes in the query parameters are obviously off. But indeed if I paste it into my splunk it fails not on the command parsing phase but on the execution (which is understandable since I don't have any db connections configured).

But anyway.

Just run the subsearch itself

| makeresults
| eval time1 = tostring("-2h@h")
| eval time2 = tostring("@h")
| eval time2 = if(time2=="", now(), time2)
| eval time1 = if(time2=="now", relative_time(now(), time1), time1)
| eval time2 = if(time2=="now", now(), time2)
| eval time1 = if(match(time1,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time1), time1)
| eval time2 = if(match(time2,"[@|y|q|mon|w|d|h|m|s]"), relative_time(now(), time2), time2)
| eval time1 = strftime(time1, "%Y-%m-%d %H:%M:%S")
| eval time2 = strftime(time2, "%Y-%m-%d %H:%M:%S")
| eval query = "SELECT * FROM "catalog"."schema"."table" WHERE date_time BETWEEN '" . time1 . "' AND '" . time2 . "' "
| return query

And you will see that it fails.

Try to trim it to see which command is the culprit. (I already showed you that).

 

Reply
Solved! Jump to solution

Julia1231
Communicator
‎11-29-2022 05:31 AM

@PickleRick Thank you.

I found and correct it finally. 

| eval query = "SELECT * FROM catalog.schema.table WHERE date_time BETWEEN '" . time1 . "' AND '" . time2 . "' "

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...