Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Nested "Where" Commands - Error: The expression is malformed

rescobar713
Path Finder
‎06-25-2015 11:52 AM

I'm trying to filter the results of a search based on the results of a (pretty complex) subsearch using the where command.

Here is what my search looks like right now (spacing and line breaks added for clarity):

    ... | where [search ... | 

     where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] 
        | fields title] | 
    ...

When I run this, I keep getting the following error:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ')'.

When I run the contents of the first (outermost) where command, like this:

... | where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] | fields title

Everything runs perfectly fine, and I get the results I expect.

Is something wrong with my syntax? Is there a problem with having too many nested where commands? title is a field in the main search, so I assumed I could just use where to filter out all titles that weren't found by my subsearch (i.e. where title="title1" OR title="title2"...).

The error seems to be occurring at the very end of the outermost where, because when I add extraneous characters (like "asdf") to the end of the entire search I get this:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ') asdf'.

Sorry if this isn't enough information to help. I can say that this search was working perfectly about a week ago, but when I re-indexed the data to account for new information, it started giving me this error. I've broken down the search into each individual subsearch and everything works fine, but when I try to put it all together into one big search it just won't work.

Any help would be greatly appreciated

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2015 02:38 AM

If you can, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then restart Splunk. This will add debug messages to the top of the job inspector, including what strings your subsearches evaluated to. Use this to troubleshoot.
H/T to @ChrisG 🙂

Reply

lguinn2
Legend
‎06-26-2015 11:31 AM

Nice - I didn't know this one!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2015 11:54 AM

I think it's been added to the docs this week 😄

0 Karma
Reply

lguinn2
Legend
‎06-25-2015 11:58 PM

This is very difficult to read with all the ellipses.

Why do you need the where commands at all? Why not just put the subsearches into the main search? I am having trouble understanding what you are trying to do - and I feel like there might be a more efficient way to do it.

If I had to guess, I would say that you are missing a final ]

You should take a look at the search job inspector, as it may show you how the sub-searches were expanded. However, sometimes the search job inspector isn't very informative when there is a syntax problem.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...