Solved: Why am I getting "Error in 'eval' command: The exp...

sunil_bansal · ‎12-16-2015

Instance_ID is one extracted field in code *. If there is a value in the $ID$ field, then result should list only for that value, else as default, it should display results for all values (for all values, I am trying * to tmp)

Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp |search Instance_ID =  tmp

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

View solution in original post

masonmorales · ‎12-17-2015

The error is telling you that you are missing an end parenthesis in your eval command. So, just add one in, like this:

 Code *|eval tmp="$ID$" | eval tmp=if(isnull(tmp),"*",tmp) |search Instance_ID =  tmp

javiergn · ‎12-17-2015

There seems to be a typo in your code and you need to use "where" instead of "search" when comparing fields:

Code |eval tmp="$ID$" | eval tmp=if(isnull(tmp),"",tmp) | where Instance_ID = tmp

You can also use the match operator. See this post

Why am I getting "Error in 'eval' command: The expression is malformed. Expected )."

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!