Error in 'eval' command: The expression is malform...

sharma11031988 · ‎03-28-2019

Hello All,

I am trying to remove events from my Dashboards for a specific time frame using data input from lookup.

I was able to use something from a blog, https://answers.splunk.com/answers/659389/how-to-exclude-multiple-time-ranges-from-multiple.html , and use this code to remove events:(This is the only format with which I can remove my event)

if(([| inputlookup exclusion.csv | convert timeformat="%b/%d/%Y %H:%M:%S" mktime(EndTime) mktime(StartTime) | eval search="_time>=".StartTime." AND _time<=".EndTime | return 500 $search]),"false","true")

However, when I enable acceleration on my Data model, I am getting a syntax error for a condition put in DM like this, while same works fine without acceleration

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[| inputlookup exclusion.csv | convert timeformat="%b/%d/%Y %H:%M:%S" mktime(EndTime) mktime(StartTime) | eval search="_time>=".StartTime." AND _time<=".EndTime | return 500 $search] ,"false","true")'

Can anyone help me figure out what am I doing wrong?

samsplunks · ‎09-13-2023

Hard a hard time debugging that one.

It only works if your SPL code with subquery return is in a dashboard "base search".

<dashboard>
  <label>My dashboard title</label>
<search id="parent_search_1">
    <query>``` put your query here with your subquery return $ ```</query>
</search>
<row>
<panel>
<table>
<title>My child visualization</title>
<search base="parent_search_1">
<query>``` have the rest of your query there ```</query>

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[|

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life