Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem of mismatched quotes and/or parenthesis says splunk but not my editor...

mehdiazmi
Explorer
‎04-10-2015 08:05 AM

Hello everyone!

when I'am performing that search :

| inputlookup table-vuln-machin.csv | chart eval( count ( eval [ search index=qualys_truc_hosts | dedup HOST.IP | stats dc(HOST.IP)] - count( eval [| inputlookup table-vuln-machin.csv | dedup IP | stats dc(IP)] ) ) )

I am getting this answer :

Error in 'SearchProcessor': Mismatched quotes and/or parenthesis.

After I have copied and pasted it in my editor, I see no mismatching quote or parenthesis.

All the indexes and inputlookups are working fine on other searches.

Could you explain me why?

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-13-2015 08:43 AM

Try this

| inputlookup table-vuln-machin.csv | stats dc(IP) s count2 | eval difference=[ search index=qualys_truc_hosts | stats dc(HOST.IP) as search]-count2

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-13-2015 08:43 AM

Try this

| inputlookup table-vuln-machin.csv | stats dc(IP) s count2 | eval difference=[ search index=qualys_truc_hosts | stats dc(HOST.IP) as search]-count2
Reply
Solved! Jump to solution

mehdiazmi
Explorer
‎04-14-2015 01:00 AM

Thank you.
I did it in another way but your solution works too.

Thanks again and have a nice day.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-10-2015 10:54 AM

I suspect the error message is inaccurate, something I've noticed before. I also can't say I've seen searches within an eval before so I wonder if that is the source of the error. Consider rewriting your search something like this:

index=qualys_truc_hosts | dedup HOST.IP | stats dc(HOST.IP) as hostCount | appendcols [| inputlookup table-vuln-machin.csv | dedup IP | stats dc(IP) as IPcount]  | chart count(eval hostCount-IPcount)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mehdiazmi
Explorer
‎04-13-2015 12:44 AM

Thank you for your help.

Unfortunately, it's not working. I'll try another way.

Once again, thank you.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎04-13-2015 06:07 AM

What do you want to do?
It is better to change the way to write request
Just tell the thing that you want to do

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...