Splunk Search

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'. Help Please

samlinsongguo
Communicator

I have a search running fine by itself,

 

index=indexA user=ABC123 
| where isnotnull(USER_NAME_FROM_ACEE) 
| table USER_NAME_FROM_ACEE 
| dedup USER_NAME_FROM_ACEE 
| return $USER_NAME_FROM_ACEE

 

but if I put the search as a subsearch in if statement as below

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the errro ""Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'.

I did test to simplify the search and  find the problem is the filed name part"USER_NAME_FROM_ACEE"

if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table user
   ],
    user)
| table actual_user

 

it works fine, but if I do

 

| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123 
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

 

it will throw me the error, which totally does not make sense to me, any suggestion why it is like this?

 

Labels (1)
1 Solution

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

View solution in original post

samlinsongguo
Communicator

I find the problem is actually not the field name it is the result subsearch produced or I should say "

| return $USER_NAME_FROM_ACEE

return empty result which cause the search run as

| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user

and it caused error.

find the root cause by adding "format" command at the end of my search

   index=indexA user=ABC123 
    | where isnotnull(USER_NAME_FROM_ACEE) 
    | table USER_NAME_FROM_ACEE 
    | dedup USER_NAME_FROM_ACEE 
    | return $USER_NAME_FROM_ACEE
    | format

to4kawa
Ultra Champion
| eval unc=mvcount(user_num ) 
| eval actual_user=if((unc!=1), 
   [
    index=indexA user=ABC123
    | eval USER_NAME_FROM_ACEE="\"".USER_NAME_FROM_ACEE."\""
    | table USER_NAME_FROM_ACEE
   ],
    user)
| table actual_user

how about this?

Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...