Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: unexpected character at 86400

inventsekar
SplunkTrust
SplunkTrust
‎05-14-2021 11:46 AM

Hi All, On the internal logs i see this eval command error - 
ERROR EvalCommand - Error in 'eval' command: The expression is malformed. An unexpected character is reached at '*)/86400)'.

but it does not provide more details like which search query / search report / alert caused this error msg. 

searched about this, but no luck. could someone provide some suggestions please. thanks..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎05-18-2021 05:30 AM

Hi @richgalloway / Hi All.. the above rest query returns around 25 searches, i ran all of them, all are running fine.. no errors they give(on the gui, as well as on job inspector),..

 

1) on the internal logs, i see this error around 12 times per hour, (6 times at the hour, 6 times at the 30min).. so, just after it appears on the internal log, i login to the search head linux box, on the dispatch directory,

when i search for the search logs for this error, the correct search query which caused this log into the internal logs not showing up..

find ./ -type f -exec grep -H '/86400)' {} \;

find ./ -name search.log -exec grep -H '/86400)' {} \;

2. apart from search queries, is there anything else which might cause this errors in the internal logs?! (any field extractions, ..etc)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 01:26 PM

Yes, that's one of Splunk's many crappy error messages.

If you have access to the CLI, search the savedsearches.conf files for that reported string.

 

find /opt/splunk/etc/apps -name savedsearches.conf -exec grep "\*)\/86400)" {} \;

 

If you don't have CLI access then try this SPL query

 

| rest /services/saved/searches splunk_server=local
| search search=* 
| where match(search, "\*\)\/86400\)")

 

---
If this reply helps you, Karma would be appreciated.
Reply

gauravu_14
Explorer
‎01-30-2023 09:30 AM

After running the SPL query, I am getting the below error:
"Error in 'where' command: Regex: unmatched closing parenthesis"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:01 AM

That's probably because of improper escaping of the embedded ')' characters.  I've corrected my answer.

---
If this reply helps you, Karma would be appreciated.
Reply

gauravu_14
Explorer
‎01-30-2023 10:31 AM

Thanks, the SPL did work this time. However, there was no result for the mentioned string and yet I am seeing that error

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 12:28 PM

The regex may need to be adjusted.  Try searching just for "86400".

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...