Splunk Search

Getting an Error in 'eval' command: The expression is malformed. Expected ).

joshimeister
Loves-to-Learn Lots

Hello,

So I know this exact same error has been brought up by others here. However, my query is a simple one and the error is not making sense to me. I have the parentheses opened and closed in what i thought was the correct syntax.

Basically what i am trying to do is trying to map out the data into a choropleth map. In this case, I am only using one state to test this out.
I have the same exact query elsewhere working. However, when i tried it here, im receiving this eval error.

index=index_name state_name="AK"
| eval state=case(like(state_name, "AK"), "Alaska")
| chart count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true

Any suggestions?

Thanks all

0 Karma
1 Solution

ololdach
Builder

Hi joshimeister, I've had something like that happen to me before. Don't feel bad, it may be a subtle one. Check your double quotes. If my assumption is right, you'll find that for some reason one of the closing double quotes has been changed from straight double quotes to slightly rounded closing quotes. Therefore the string is not closed and the error is thrown. To fix, erase the rounded double quote and retype it. I've yet to find the reason for this. Sometimes it seems to happen with cut & paste from Rich Text editors like the notes app on Mac or Word. -Oliver

View solution in original post

0 Karma

woodcock
Esteemed Legend

I assume that you are actually doing something like this so spread each state out on a separate line and have a default clause at the end; then it will be easy to find the problem:

index=index_name state_name="AK"
| eval state=case(
like(state_name, "AK"), "Alaska",
...
like(state_name, "WY"), "Wyoming",
true(), "Confusion")
| chart count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi joshimeister,
at first if you have a filter for state, you don't need of case statement in eval command, so you could use

| eval state=if(state_name, "AK", "Alaska",state_name)

Then I usually use stats command instead chart, but it's the same thing (chart is useful when you want a table with many columns and rows).
Anyway, I think that the problem could be on case and like statement.
So I'd try something like this:

index=index_name state_name="AK"
| eval state=if(state_name, "AK", "Alaska",state_name)
| stats count by state
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| geom geo_us_states featureIdField=state allFeatures=true

Anyway, try to delete all the spaces between words, maybe you copied something from an external editor and there's a special char o a tab and you see only spaces.

Bye.
Giuseppe

0 Karma

joshimeister
Loves-to-Learn Lots

Thanks @gcusello, looks like there was something wrong with my quotation marks even after re-typing them.

0 Karma

ololdach
Builder

Hi joshimeister, I've had something like that happen to me before. Don't feel bad, it may be a subtle one. Check your double quotes. If my assumption is right, you'll find that for some reason one of the closing double quotes has been changed from straight double quotes to slightly rounded closing quotes. Therefore the string is not closed and the error is thrown. To fix, erase the rounded double quote and retype it. I've yet to find the reason for this. Sometimes it seems to happen with cut & paste from Rich Text editors like the notes app on Mac or Word. -Oliver

0 Karma

joshimeister
Loves-to-Learn Lots

Thanks! @ololdach . I have tried this before with the same assumption that the quotations marks were causing a problem and did try re-typing the quotations marks before but still couldnt get it to work. Somehow it works now. Strange but thanks for the help. I got it working somehow.

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...