Splunk Search

Why am I getting "Error in 'eval' command: The expression is malformed. Expected )."

sunil_bansal
New Member

Instance_ID is one extracted field in code *. If there is a value in the $ID$ field, then result should list only for that value, else as default, it should display results for all values (for all values, I am trying * to tmp)

Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp |search Instance_ID =  tmp
Tags (2)
0 Karma
1 Solution

masonmorales
Influencer

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

View solution in original post

0 Karma

masonmorales
Influencer

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp
0 Karma

javiergn
Super Champion

There seems to be a typo in your code and you need to use "where" instead of "search" when comparing fields:

Code |eval tmp="$ID$" | eval tmp=if(isnull(tmp),"",tmp) | where Instance_ID = tmp

You can also use the match operator. See this post

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...