Splunk Search

Getting an Error in 'eval' command: The expression is malformed. Expected ).

joshimeister
Loves-to-Learn Lots

Hello,

So I know this exact same error has been brought up by others here. However, my query is a simple one and the error is not making sense to me. I have the parentheses opened and closed in what i thought was the correct syntax.

Basically what i am trying to do is trying to map out the data into a choropleth map. In this case, I am only using one state to test this out.
I have the same exact query elsewhere working. However, when i tried it here, im receiving this eval error.

index=index_name state_name="AK"
| eval state=case(like(state_name, "AK"), "Alaska")
| chart count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true

Any suggestions?

Thanks all

0 Karma
1 Solution

ololdach
Builder

Hi joshimeister, I've had something like that happen to me before. Don't feel bad, it may be a subtle one. Check your double quotes. If my assumption is right, you'll find that for some reason one of the closing double quotes has been changed from straight double quotes to slightly rounded closing quotes. Therefore the string is not closed and the error is thrown. To fix, erase the rounded double quote and retype it. I've yet to find the reason for this. Sometimes it seems to happen with cut & paste from Rich Text editors like the notes app on Mac or Word. -Oliver

View solution in original post

0 Karma

woodcock
Esteemed Legend

I assume that you are actually doing something like this so spread each state out on a separate line and have a default clause at the end; then it will be easy to find the problem:

index=index_name state_name="AK"
| eval state=case(
like(state_name, "AK"), "Alaska",
...
like(state_name, "WY"), "Wyoming",
true(), "Confusion")
| chart count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi joshimeister,
at first if you have a filter for state, you don't need of case statement in eval command, so you could use

| eval state=if(state_name, "AK", "Alaska",state_name)

Then I usually use stats command instead chart, but it's the same thing (chart is useful when you want a table with many columns and rows).
Anyway, I think that the problem could be on case and like statement.
So I'd try something like this:

index=index_name state_name="AK"
| eval state=if(state_name, "AK", "Alaska",state_name)
| stats count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true

Anyway, try to delete all the spaces between words, maybe you copied something from an external editor and there's a special char o a tab and you see only spaces.

Bye.
Giuseppe

0 Karma

joshimeister
Loves-to-Learn Lots

Thanks @gcusello, looks like there was something wrong with my quotation marks even after re-typing them.

0 Karma

ololdach
Builder

Hi joshimeister, I've had something like that happen to me before. Don't feel bad, it may be a subtle one. Check your double quotes. If my assumption is right, you'll find that for some reason one of the closing double quotes has been changed from straight double quotes to slightly rounded closing quotes. Therefore the string is not closed and the error is thrown. To fix, erase the rounded double quote and retype it. I've yet to find the reason for this. Sometimes it seems to happen with cut & paste from Rich Text editors like the notes app on Mac or Word. -Oliver

0 Karma

joshimeister
Loves-to-Learn Lots

Thanks! @ololdach . I have tried this before with the same assumption that the quotations marks were causing a problem and did try re-typing the quotations marks before but still couldnt get it to work. Somehow it works now. Strange but thanks for the help. I got it working somehow.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...