Hi
I am getting the following error on my application/dashboard:
" Error in 'eval' command: The expression is malformed."
The query that is being triggered is:
| makeresults count=1 | eval id=$incident_id$| sendalert canary_acknowledge_incident param.incident_id=$incident_id$ param.index_name="main"
<input type="dropdown" token="incident_id" searchWhenChanged="false">
<label>Incident to Close</label>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search>
<query>`canary_tools_index` sourcetype="canarytools:incidents" | stats values(id) as id| mvexpand id</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
And running that drop down populating query using the Search tool gives information such as:
incident:canarytoken:80f36193721b94fb268bb6df:<source_ip>:<epoch_timestamp> |
incident:canarytoken:80f36193721b94fb268bb6df:<source_ip>:<epoch_timestamp> |
Looking at previous questions asked on this forum point towards the field names of the `eval` command not working whenever they start with a numeric character. But this is not the case in my issues as I am using :
`eval id=$incident_id$`
This is happening on Splunk 8.0.0
Hi @KeaganJ,
try to add quotes to the eval and sendalert commands:
| makeresults count=1
| eval id="$incident_id$"
| sendalert canary_acknowledge_incident param.incident_id="$incident_id$" param.index_name="main"
Ciao.
Giuseppe
I managed to fix my issue by surrounding the variable in double quotes ie:
eval id="$incident_id$"
Hi @KeaganJ,
try to add quotes to the eval and sendalert commands:
| makeresults count=1
| eval id="$incident_id$"
| sendalert canary_acknowledge_incident param.incident_id="$incident_id$" param.index_name="main"
Ciao.
Giuseppe
Thanks Giuseppe Just saw your reply now as I refreshed the page. Your solution works great for me.