Splunk Search

Nested "Where" Commands - Error: The expression is malformed

Path Finder

I'm trying to filter the results of a search based on the results of a (pretty complex) subsearch using the where command.

Here is what my search looks like right now (spacing and line breaks added for clarity):

    ... | where [search ... | 

     where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] 
        | fields title] | 
    ...

When I run this, I keep getting the following error:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ')'. 

When I run the contents of the first (outermost) where command, like this:

... | where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] | fields title

Everything runs perfectly fine, and I get the results I expect.

Is something wrong with my syntax? Is there a problem with having too many nested where commands? title is a field in the main search, so I assumed I could just use where to filter out all titles that weren't found by my subsearch (i.e. where title="title1" OR title="title2"...).

The error seems to be occurring at the very end of the outermost where, because when I add extraneous characters (like "asdf") to the end of the entire search I get this:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ') asdf'. 

Sorry if this isn't enough information to help. I can say that this search was working perfectly about a week ago, but when I re-indexed the data to account for new information, it started giving me this error. I've broken down the search into each individual subsearch and everything works fine, but when I try to put it all together into one big search it just won't work.

Any help would be greatly appreciated

0 Karma

SplunkTrust
SplunkTrust

If you can, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then restart Splunk. This will add debug messages to the top of the job inspector, including what strings your subsearches evaluated to. Use this to troubleshoot.
H/T to @ChrisG 🙂

Legend

Nice - I didn't know this one!

0 Karma

SplunkTrust
SplunkTrust

I think it's been added to the docs this week 😄

0 Karma

Legend

This is very difficult to read with all the ellipses.

Why do you need the where commands at all? Why not just put the subsearches into the main search? I am having trouble understanding what you are trying to do - and I feel like there might be a more efficient way to do it.

If I had to guess, I would say that you are missing a final ]

You should take a look at the search job inspector, as it may show you how the sub-searches were expanded. However, sometimes the search job inspector isn't very informative when there is a syntax problem.