Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Error in 'eval' command: The expression is malform...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search running fine by itself,
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
but if I put the search as a subsearch in if statement as below
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
],
user)
| table actual_user
it will throw me the errro ""Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , user)'.
I did test to simplify the search and find the problem is the filed name part"USER_NAME_FROM_ACEE"
if I do
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| table user
],
user)
| table actual_user
it works fine, but if I do
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| table USER_NAME_FROM_ACEE
],
user)
| table actual_user
it will throw me the error, which totally does not make sense to me, any suggestion why it is like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find the problem is actually not the field name it is the result subsearch produced or I should say "
| return $USER_NAME_FROM_ACEEreturn empty result which cause the search run as
| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user
and it caused error.
find the root cause by adding "format" command at the end of my search
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
| format- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find the problem is actually not the field name it is the result subsearch produced or I should say "
| return $USER_NAME_FROM_ACEEreturn empty result which cause the search run as
| eval actual_user=if((unc=1), user, ( ( "" ) ) | table actual_user
and it caused error.
find the root cause by adding "format" command at the end of my search
index=indexA user=ABC123
| where isnotnull(USER_NAME_FROM_ACEE)
| table USER_NAME_FROM_ACEE
| dedup USER_NAME_FROM_ACEE
| return $USER_NAME_FROM_ACEE
| format- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval unc=mvcount(user_num )
| eval actual_user=if((unc!=1),
[
index=indexA user=ABC123
| eval USER_NAME_FROM_ACEE="\"".USER_NAME_FROM_ACEE."\""
| table USER_NAME_FROM_ACEE
],
user)
| table actual_userhow about this?
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
