Solved: Why am I getting "Error in 'eval' command: The exp...

sunil_bansal · ‎12-16-2015

Instance_ID is one extracted field in code *. If there is a value in the $ID$ field, then result should list only for that value, else as default, it should display results for all values (for all values, I am trying * to tmp)

Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp |search Instance_ID =  tmp

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

View solution in original post

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

javiergn · ‎12-17-2015

There seems to be a typo in your code and you need to use "where" instead of "search" when comparing fields:

Code |eval tmp="$ID$" | eval tmp=if(isnull(tmp),"",tmp) | where Instance_ID = tmp

You can also use the match operator. See this post

Why am I getting "Error in 'eval' command: The expression is malformed. Expected )."

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Why am I getting "Error in 'eval' command: The expression is malformed. Expected )."

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine