Splunk Search

[Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

cheriemilk
Path Finder

Hi team,

I got error 'Error in 'eval' command: The expression is malformed. ' when running below query. Guess it's because the double quote in the the source log. How to get rid of this?

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN="Jessica" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID="EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1" AGN="\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3="\[tsv2##jobinfo\]" C_ktf4="\[gender,location\]" C_if1="21" C_ktf2="\[Background_Criteria,Profile_Criteria\]" C_bf1="false" C_bf2="false" "
| makemv delim=";" log 
| mvexpand log 
| rex field=log "ktf2=\"\[(?P(.*))\"\]" 
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2
Tags (2)
0 Karma

woodcock
Esteemed Legend

Missed it by >that< much; you need to escape your double-quotes among other minor problems; try this:

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"\[tsv2##jobinfo\]\" C_ktf4=\"\[gender,location\]\" C_if1=\"21\" C_ktf2=\"\[Background_Criteria,Profile_Criteria\]\" C_bf1=\"false\" C_bf2=\"false\""
| makemv delim=";" log 
| mvexpand log 
| rename log AS _raw
| kv
| table C_ktf2
| rename C_ktf2 AS ktf2
| rex field=ktf2 mode=sed "s/\\\\\[|\\\\\]//g"
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2
0 Karma

vnravikumar
Champion

Hi

Try with escaping double quote

| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B* TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"[tsv2##jobinfo]\" C_ktf4=\"[gender,location]\" C_if1=\"21\" C_ktf2=\"[Background_Criteria,Profile_Criteria]\" C_bf1=\"false\" C_bf2=\"false\" "
0 Karma

cheriemilk
Path Finder

@vnravikumar , Thank you and it works

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...