Splunk Search

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'. Help Please

samlinsongguo
Communicator

I have a search running fine by itself,

 

index=indexA user=ABC123 
| where isnotnull(USER_NAME_FROM_ACEE) 
| table USER_NAME_FROM_ACEE 
| dedup USER_NAME_FROM_ACEE 
| return $USER_NAME_FROM_ACEE

 

but if I put the search as a subsearch in if statement as below

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the errro ""Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'.

I did test to simplify the search and  find the problem is the filed name part"USER_NAME_FROM_ACEE"

if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table user
   ],
    user)
| table actual_user

 

it works fine, but if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the error, which totally does not make sense to me, any suggestion why it is like this?

 

Labels (1)
1 Solution

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

View solution in original post

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

to4kawa
Ultra Champion
| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123
    | eval USER_NAME_FROM_ACEE="\"".USER_NAME_FROM_ACEE."\""
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

how about this?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...