Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my search producing error "Error in 'eval' command: The expression is malformed..."?

TheJagoff
Communicator
‎05-23-2016 10:03 AM

When I enter this search: 

sourcetype=win*
(EventCode=4624 OR EventCode=4634)| stats latest(eval(if(EventCode=4624,_time, null()))) as logon_time, latest(eval(if(EventCode=4634,_time,null()))) as logoff_time by User
| eval logoff_time = if(logoff_time < logon_time OR isnull(logoff_time), “Session in Progress”, logoff_time)

I get the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“Session in Progress”, logoff_time)'.

I can't seem to see where I messed up. Any help or ideas are most appreciated.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2016 11:47 AM

It is almost certainly because you are using Windows/handed/slanted double-quotes (“ ”) instead of low-ASCII/unhanded ("). Cut and paste THIS ONE -> ".

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2016 11:47 AM

It is almost certainly because you are using Windows/handed/slanted double-quotes (“ ”) instead of low-ASCII/unhanded ("). Cut and paste THIS ONE -> ".

Reply
Solved! Jump to solution

TheJagoff
Communicator
‎05-23-2016 01:31 PM

As usual - you are absolutely correct sir. Many many thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...