Splunk Search

Help me understand: "Error in 'EvalCommand': The expression is malformed. Expected )."

TorbinIT
Path Finder

So I've recently got into a new job, where I'm learning Splunk and learning how to support splunk searches and dashboards left behind by someone else. 

I'm currently trying to go through a lot of the previous worker's searches, and I'm trying to understand how they all work. Right now I'm looking at a search that is part of a larger dashboard, and whenever I want to run this bit as an individual search, it's giving me the error "Error in 'EvalCommand': The expression is malformed. Expected )." The search itself is:

index=vuln_vulnscan sourcetype=tenable:sc:vuln severity.id>=2 OR pluginID="19506" earliest=-12d latest=now()
[ search index=inventory_snow ((sourcetype=snow:cmdb_ci_network_adapter AND ("ip_address\"\: \"56." OR "ip_address\"\: \"170.214")) OR (sourcetype=snow:cmdb_ci_computer) OR (sourcetype="snow:cmdb_ci_server")) dv_u_eir="*$eir$*" dv_u_environment="$eir_env$" earliest=-2d latest=now()
| fields dv_name
| stats latest(*) as * by dv_name
| lookup dnslookup clienthost as dv_name OUTPUT clientip as ip
| table ip]
| fields pluginID dnsName ip port severity.name pluginName synopsis solution firstSeen lastSeen severity.id patchPubDate pluginText
| stats latest(*) as * by ip, pluginID, port
| eval patchAvailable="No Patch Available/Requires Manual Fix"
| eval patchAvailable=if(((patchPubDate>relative_time(now(),"-30d"))),"0d-30d",patchAvailable)
| eval patchAvailable=if(((patchPubDate<relative_time(now(),"-30d")) AND (patchPubDate>relative_time(now(),"-60d"))),"30d-60d",patchAvailable)
| eval patchAvailable=if(((patchPubDate<relative_time(now(),"-60d")) AND (patchPubDate>relative_time(now(),"-90d"))),"60d-90d",patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-90d") AND (patchPubDate>relative_time(now(),"-180d"))), "90d-180d",patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-180d") AND (patchPubDate>relative_time(now(),"-365d"))), "180d-365d", patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-365d") AND (patchPubDate>0)), "365d+", patchAvailable)

I understand most of this search, but I don't understand why Splunk would be giving this error. I've went over it with a finetoothed comb and I couldn't find any missing ")" symbols anywhere. There's no eval in the subsearch, and all the eval commands I see have the proper grammar for the program.

Is it something to do with the fact that I copied this out of a larger dashboard?

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

If that's your literal search, it is indeed malformed. You copy-pasted it from somewhere and instead of ">"  you have html entities ">".

View solution in original post

TorbinIT
Path Finder

Aaaah, that makes sense! Thank you very much for the response!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If that's your literal search, it is indeed malformed. You copy-pasted it from somewhere and instead of ">"  you have html entities ">".

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...