Solved: Why am I getting "Error in 'eval' command: The exp...

sunil_bansal · ‎12-16-2015

Instance_ID is one extracted field in code *. If there is a value in the $ID$ field, then result should list only for that value, else as default, it should display results for all values (for all values, I am trying * to tmp)

Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp |search Instance_ID =  tmp

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

View solution in original post

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

javiergn · ‎12-17-2015

There seems to be a typo in your code and you need to use "where" instead of "search" when comparing fields:

Code |eval tmp="$ID$" | eval tmp=if(isnull(tmp),"",tmp) | where Instance_ID = tmp

You can also use the match operator. See this post

Why am I getting "Error in 'eval' command: The expression is malformed. Expected )."

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation