Splunk Search

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'. Help Please

samlinsongguo
Communicator

I have a search running fine by itself,

 

index=indexA user=ABC123 
| where isnotnull(USER_NAME_FROM_ACEE) 
| table USER_NAME_FROM_ACEE 
| dedup USER_NAME_FROM_ACEE 
| return $USER_NAME_FROM_ACEE

 

but if I put the search as a subsearch in if statement as below

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the errro ""Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'.

I did test to simplify the search and  find the problem is the filed name part"USER_NAME_FROM_ACEE"

if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table user
   ],
    user)
| table actual_user

 

it works fine, but if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the error, which totally does not make sense to me, any suggestion why it is like this?

 

Labels (1)
1 Solution

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

View solution in original post

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

to4kawa
Ultra Champion
| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123
    | eval USER_NAME_FROM_ACEE="\"".USER_NAME_FROM_ACEE."\""
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

how about this?

Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...