Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'eval' command: The expression is malformed.

KeaganJ
Path Finder
‎09-03-2020 02:25 AM

Hi 

I am getting the following error on my application/dashboard:
" Error in 'eval' command: The expression is malformed."

The query that is being triggered is:

| makeresults count=1 | eval id=$incident_id$| sendalert canary_acknowledge_incident param.incident_id=$incident_id$ param.index_name="main"
 
And this is getting triggered when a Submit Button is being clicked.
The Submit button is tied to a Dropdown of values.
The dropdown is populated with values and is defined as below:
<input type="dropdown" token="incident_id" searchWhenChanged="false">
 <label>Incident to Close</label>
 <fieldForLabel>id</fieldForLabel>
 <fieldForValue>id</fieldForValue>
 <search>
  <query>`canary_tools_index` sourcetype="canarytools:incidents" | stats values(id) as id| mvexpand id</query>
  <earliest>-30d@d</earliest>
  <latest>now</latest>
 </search>
</input>

And running that drop down populating query using the Search tool gives information such as:

incident:canarytoken:80f36193721b94fb268bb6df:<source_ip>:<epoch_timestamp>
incident:canarytoken:80f36193721b94fb268bb6df:<source_ip>:<epoch_timestamp>

 

Looking at previous questions asked on this forum point towards the field names of the `eval` command not working whenever they start with a numeric character. But this is not the case in my issues as I am using :
`eval id=$incident_id$`

 

This is happening on Splunk 8.0.0

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 02:35 AM

Hi @KeaganJ,

try to add quotes to the eval and sendalert commands:

| makeresults count=1 
| eval id="$incident_id$"
| sendalert canary_acknowledge_incident param.incident_id="$incident_id$" param.index_name="main"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

KeaganJ
Path Finder
‎09-03-2020 02:45 AM

I managed to fix my issue by surrounding the variable in double quotes ie:

eval id="$incident_id$"
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 02:52 AM

Hi @KeaganJ,

good!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 02:35 AM

Hi @KeaganJ,

try to add quotes to the eval and sendalert commands:

| makeresults count=1 
| eval id="$incident_id$"
| sendalert canary_acknowledge_incident param.incident_id="$incident_id$" param.index_name="main"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

KeaganJ
Path Finder
‎09-03-2020 02:52 AM

Thanks Giuseppe Just saw your reply now as I refreshed the page. Your solution works great for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...