Solved: Problem of mismatched quotes and/or parenthesis sa...

mehdiazmi · ‎04-10-2015

Hello everyone!

when I'am performing that search :

I am getting this answer :

Error in 'SearchProcessor': Mismatched quotes and/or parenthesis.

After I have copied and pasted it in my editor, I see no mismatching quote or parenthesis.

All the indexes and inputlookups are working fine on other searches.

Could you explain me why?

Thank you

somesoni2 · ‎04-13-2015

Try this

| inputlookup table-vuln-machin.csv | stats dc(IP) s count2 | eval difference=[ search index=qualys_truc_hosts | stats dc(HOST.IP) as search]-count2

View solution in original post

somesoni2 · ‎04-13-2015

Try this

| inputlookup table-vuln-machin.csv | stats dc(IP) s count2 | eval difference=[ search index=qualys_truc_hosts | stats dc(HOST.IP) as search]-count2

mehdiazmi · ‎04-14-2015

Thank you.
I did it in another way but your solution works too.

Thanks again and have a nice day.

richgalloway · ‎04-10-2015

I suspect the error message is inaccurate, something I've noticed before. I also can't say I've seen searches within an eval before so I wonder if that is the source of the error. Consider rewriting your search something like this:

index=qualys_truc_hosts | dedup HOST.IP | stats dc(HOST.IP) as hostCount | appendcols [| inputlookup table-vuln-machin.csv | dedup IP | stats dc(IP) as IPcount]  | chart count(eval hostCount-IPcount)

---
If this reply helps you, Karma would be appreciated.

mehdiazmi · ‎04-13-2015

Thank you for your help.

Unfortunately, it's not working. I'll try another way.

Once again, thank you.

chimell · ‎04-13-2015

What do you want to do?
It is better to change the way to write request
Just tell the thing that you want to do

Problem of mismatched quotes and/or parenthesis says splunk but not my editor...

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life