Splunk Search

What's wrong with this eval statement? Getting 'Error in 'eval' command: The expression is malformed. Expected ). ' Error.

Communicator

This is the eval statement i am using along with case but getting error.

eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)

0 Karma
1 Solution

Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

View solution in original post

0 Karma

Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

View solution in original post

0 Karma

Esteemed Legend

Click Accept on your answer here to close the question.

0 Karma

Esteemed Legend

You must ensure that all fields based on severity ( critical, high, etc. ) are all numbers or you will get an error, so try this:

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational") 
| stats dc(signature) as vuln_count count by severity,dest 
| chart useother=`useother` first(vuln_count) over dest by severity
| foreach critical high medium low informational
   [ rex field=<<FIELD>> mode=sed "s/[\r\n\s]//g" | eval <<FIELD>>=tonumber(<<FIELD>>) ]
| eval total=case(
   critical>0 AND high>0,         critical+high,
   critical>0,                    critical,
   high>0,                        high,
   true(),                        0) 
| eval subTotal=case(
   medium>0 AND low>0,            medium+low,
   medium>0,                      medium,
   low>0,                         low,
   true(),                        0) 
| eval subSubTotal=case(
   informational>0 AND unknown>0, informational+unknown,
   informational>0,               informational,
   unknown>0,                     unknown,
   true(),                        0)

Communicator

@xpac, No i checked for all brackets, all is perfect.
Here is the full query,

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=useother first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)

I am getting error for all the eval statements here @woodcock

0 Karma

Esteemed Legend

I still do not get any errors.

0 Karma

Communicator

Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?

0 Karma

SplunkTrust
SplunkTrust

I just put that search into my Splunk, and it is perfectly valid.
The only thing that I had to remove is the useother=´useother´ part - because I don't have that macro.
Just in case, can you post the content of that macro?

0 Karma

Communicator

'useother'=true
That's it.

0 Karma

Esteemed Legend

It does not give an error for me.

0 Karma

SplunkTrust
SplunkTrust

Do you have any other ( or )in the rest of your query?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!