Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: unexpected character at 86400

inventsekar
SplunkTrust
SplunkTrust
‎05-14-2021 11:46 AM

Hi All, On the internal logs i see this eval command error - 
ERROR EvalCommand - Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*)/86400)'.

but it does not provide more details like which search query / search report / alert caused this error msg. 

searched about this, but no luck. could someone provide some suggestions please. thanks..

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎05-18-2021 05:30 AM

Hi @richgalloway / Hi All.. the above rest query returns around 25 searches, i ran all of them, all are running fine.. no errors they give(on the gui, as well as on job inspector),..

 

1) on the internal logs, i see this error around 12 times per hour, (6 times at the hour, 6 times at the 30min).. so, just after it appears on the internal log, i login to the search head linux box, on the dispatch directory,

when i search for the search logs for this error, the correct search query which caused this log into the internal logs not showing up..

find ./ -type f -exec grep -H '/86400)' {} \;

find ./ -name search.log -exec grep -H '/86400)' {} \;

2. apart from search queries, is there anything else which might cause this errors in the internal logs?! (any field extractions, ..etc)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 01:26 PM

Yes, that's one of Splunk's many crappy error messages.

If you have access to the CLI, search the savedsearches.conf files for that reported string.

 

find /opt/splunk/etc/apps -name savedsearches.conf -exec grep "\*)\/86400)" {} \;

 

If you don't have CLI access then try this SPL query

 

| rest /services/saved/searches splunk_server=local
| search search=* 
| where match(search, "\*\)\/86400\)")

 

---
If this reply helps you, Karma would be appreciated.
Reply

gauravu_14
Explorer
‎01-30-2023 09:30 AM

After running the SPL query, I am getting the below error:
"Error in 'where' command: Regex: unmatched closing parenthesis"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:01 AM

That's probably because of improper escaping of the embedded ')' characters.  I've corrected my answer.

---
If this reply helps you, Karma would be appreciated.
Reply

gauravu_14
Explorer
‎01-30-2023 10:31 AM

Thanks, the SPL did work this time. However, there was no result for the mentioned string and yet I am seeing that error

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 12:28 PM

The regex may need to be adjusted.  Try searching just for "86400".

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...