Re: [Resolved]Splunk eval - Error in 'eval' comman...

cheriemilk · ‎12-04-2019

Hi team,

I got error 'Error in 'eval' command: The expression is malformed. ' when running below query. Guess it's because the double quote in the the source log. How to get rid of this?

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN="Jessica" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID="EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1" AGN="\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3="\[tsv2##jobinfo\]" C_ktf4="\[gender,location\]" C_if1="21" C_ktf2="\[Background_Criteria,Profile_Criteria\]" C_bf1="false" C_bf2="false" "
| makemv delim=";" log 
| mvexpand log 
| rex field=log "ktf2=\"\[(?P(.*))\"\]" 
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2

woodcock · ‎12-05-2019

Missed it by >that< much; you need to escape your double-quotes among other minor problems; try this:

| makeresults 
| eval log=" 2019-12-03 15:03:10,068                 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"\[tsv2##jobinfo\]\" C_ktf4=\"\[gender,location\]\" C_if1=\"21\" C_ktf2=\"\[Background_Criteria,Profile_Criteria\]\" C_bf1=\"false\" C_bf2=\"false\""
| makemv delim=";" log 
| mvexpand log 
| rename log AS _raw
| kv
| table C_ktf2
| rename C_ktf2 AS ktf2
| rex field=ktf2 mode=sed "s/\\\\\[|\\\\\]//g"
| makemv delim="," ktf2 
| eval ktf2= ltrim(ktf2) 
| stats count by ktf2

vnravikumar · ‎12-04-2019

Hi

Try with escaping double quote

| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B* TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"[tsv2##jobinfo]\" C_ktf4=\"[gender,location]\" C_if1=\"21\" C_ktf2=\"[Background_Criteria,Profile_Criteria]\" C_bf1=\"false\" C_bf2=\"false\" "

cheriemilk · ‎12-05-2019

@vnravikumar , Thank you and it works

[Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation