Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- edit fields with eval expressions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am receiving an error of "The expression is malformed. Expected IN." any time we search utilizing the web data model. When i remove this eval expression 'if(act="File quarantined","blocked",action)' the search works fine so I am assuming that this is the problem child. does anyone see anything inherently wrong with this expression?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are you seeing this? Inside the web datamodel?
In which case, the action field should look like this (see attached)
If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s.
case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try changing it to
if(action="File quarantined","blocked",action)
That looks to me like the intent is to re-write the action to be "blocked" for a quarantine message, otherwise leave action as it was
if (action = quarantine, re-write it as action="blocked", otherwise set action=action( i.e whatever it already was) )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate the reply, unfortunately it did not work. There are 2 eval expressions seen as below. Does there need to be something in between? Thank you !
if(isnull(action) OR action="","unknown",action)
if(act="File quarantined","blocked",action)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are you seeing this? Inside the web datamodel?
In which case, the action field should look like this (see attached)
If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s.
case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
