So I've recently got into a new job, where I'm learning Splunk and learning how to support splunk searches and dashboards left behind by someone else.
I'm currently trying to go through a lot of the previous worker's searches, and I'm trying to understand how they all work. Right now I'm looking at a search that is part of a larger dashboard, and whenever I want to run this bit as an individual search, it's giving me the error "Error in 'EvalCommand': The expression is malformed. Expected )." The search itself is:
index=vuln_vulnscan sourcetype=tenable:sc:vuln severity.id>=2 OR pluginID="19506" earliest=-12d latest=now()
[ search index=inventory_snow ((sourcetype=snow:cmdb_ci_network_adapter AND ("ip_address\"\: \"56." OR "ip_address\"\: \"170.214")) OR (sourcetype=snow:cmdb_ci_computer) OR (sourcetype="snow:cmdb_ci_server")) dv_u_eir="*$eir$*" dv_u_environment="$eir_env$" earliest=-2d latest=now()
| fields dv_name
| stats latest(*) as * by dv_name
| lookup dnslookup clienthost as dv_name OUTPUT clientip as ip
| table ip]
| fields pluginID dnsName ip port severity.name pluginName synopsis solution firstSeen lastSeen severity.id patchPubDate pluginText
| stats latest(*) as * by ip, pluginID, port
| eval patchAvailable="No Patch Available/Requires Manual Fix"
| eval patchAvailable=if(((patchPubDate>relative_time(now(),"-30d"))),"0d-30d",patchAvailable)
| eval patchAvailable=if(((patchPubDate<relative_time(now(),"-30d")) AND (patchPubDate>relative_time(now(),"-60d"))),"30d-60d",patchAvailable)
| eval patchAvailable=if(((patchPubDate<relative_time(now(),"-60d")) AND (patchPubDate>relative_time(now(),"-90d"))),"60d-90d",patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-90d") AND (patchPubDate>relative_time(now(),"-180d"))), "90d-180d",patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-180d") AND (patchPubDate>relative_time(now(),"-365d"))), "180d-365d", patchAvailable)
| eval patchAvailable=if((patchPubDate<relative_time(now(),"-365d") AND (patchPubDate>0)), "365d+", patchAvailable)
I understand most of this search, but I don't understand why Splunk would be giving this error. I've went over it with a finetoothed comb and I couldn't find any missing ")" symbols anywhere. There's no eval in the subsearch, and all the eval commands I see have the proper grammar for the program.
Is it something to do with the fact that I copied this out of a larger dashboard?
