Solved: What's wrong with this eval statement? Getting 'Er...

sarwshai · ‎05-05-2018

This is the eval statement i am using along with case but getting error.

eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)

sarwshai · ‎05-10-2018

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

View solution in original post

sarwshai · ‎05-10-2018

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

woodcock · ‎05-10-2018

Click Accept on your answer here to close the question.

woodcock · ‎05-05-2018

You must ensure that all fields based on severity ( critical, high, etc. ) are all numbers or you will get an error, so try this:

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational") 
| stats dc(signature) as vuln_count count by severity,dest 
| chart useother=`useother` first(vuln_count) over dest by severity
| foreach critical high medium low informational
   [ rex field=<<FIELD>> mode=sed "s/[\r\n\s]//g" | eval <<FIELD>>=tonumber(<<FIELD>>) ]
| eval total=case(
   critical>0 AND high>0,         critical+high,
   critical>0,                    critical,
   high>0,                        high,
   true(),                        0) 
| eval subTotal=case(
   medium>0 AND low>0,            medium+low,
   medium>0,                      medium,
   low>0,                         low,
   true(),                        0) 
| eval subSubTotal=case(
   informational>0 AND unknown>0, informational+unknown,
   informational>0,               informational,
   unknown>0,                     unknown,
   true(),                        0)

sarwshai · ‎05-05-2018

@xpac, No i checked for all brackets, all is perfect.
Here is the full query,

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=useother first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)

I am getting error for all the eval statements here @woodcock

woodcock · ‎05-05-2018

I still do not get any errors.

sarwshai · ‎05-05-2018

Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?

xpac · ‎05-05-2018

I just put that search into my Splunk, and it is perfectly valid.
The only thing that I had to remove is the useother=´useother´ part - because I don't have that macro.
Just in case, can you post the content of that macro?

sarwshai · ‎05-05-2018

'useother'=true
That's it.

woodcock · ‎05-05-2018

It does not give an error for me.

xpac · ‎05-05-2018

Do you have any other ( or )in the rest of your query?

What's wrong with this eval statement? Getting 'Error in 'eval' command: The expression is malformed. Expected ). ' Error.

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies