Splunk Search

[Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

cheriemilk
Path Finder

Hi team,

I got error 'Error in 'eval' command: The expression is malformed. ' when running below query. Guess it's because the double quote in the the source log. How to get rid of this?

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN="Jessica" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID="EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1" AGN="\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3="\[tsv2##jobinfo\]" C_ktf4="\[gender,location\]" C_if1="21" C_ktf2="\[Background_Criteria,Profile_Criteria\]" C_bf1="false" C_bf2="false" "
| makemv delim=";" log 
| mvexpand log 
| rex field=log "ktf2=\"\[(?P(.*))\"\]" 
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2
Tags (2)
0 Karma

woodcock
Esteemed Legend

Missed it by >that< much; you need to escape your double-quotes among other minor problems; try this:

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"\[tsv2##jobinfo\]\" C_ktf4=\"\[gender,location\]\" C_if1=\"21\" C_ktf2=\"\[Background_Criteria,Profile_Criteria\]\" C_bf1=\"false\" C_bf2=\"false\""
| makemv delim=";" log 
| mvexpand log 
| rename log AS _raw
| kv
| table C_ktf2
| rename C_ktf2 AS ktf2
| rex field=ktf2 mode=sed "s/\\\\\[|\\\\\]//g"
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2
0 Karma

vnravikumar
Champion

Hi

Try with escaping double quote

| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B* TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"[tsv2##jobinfo]\" C_ktf4=\"[gender,location]\" C_if1=\"21\" C_ktf2=\"[Background_Criteria,Profile_Criteria]\" C_bf1=\"false\" C_bf2=\"false\" "
0 Karma

cheriemilk
Path Finder

@vnravikumar , Thank you and it works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...