So I've recently got into a new job, where I'm learning Splunk and learning how to support splunk searches and dashboards left behind by someone else. I'm currently trying to go through a lot of the previous worker's searches, and I'm trying to understand how they all work. Right now I'm looking at a search that is part of a larger dashboard, and whenever I want to run this bit as an individual search, it's giving me the error "Error in 'EvalCommand': The expression is malformed. Expected )." The search itself is: index=vuln_vulnscan sourcetype=tenable:sc:vuln severity.id>=2 OR pluginID="19506" earliest=-12d latest=now() [ search index=inventory_snow ((sourcetype=snow:cmdb_ci_network_adapter AND ("ip_address\"\: \"56." OR "ip_address\"\: \"170.214")) OR (sourcetype=snow:cmdb_ci_computer) OR (sourcetype="snow:cmdb_ci_server")) dv_u_eir="*$eir$*" dv_u_environment="$eir_env$" earliest=-2d latest=now() | fields dv_name | stats latest(*) as * by dv_name | lookup dnslookup clienthost as dv_name OUTPUT clientip as ip | table ip] | fields pluginID dnsName ip port severity.name pluginName synopsis solution firstSeen lastSeen severity.id patchPubDate pluginText | stats latest(*) as * by ip, pluginID, port | eval patchAvailable="No Patch Available/Requires Manual Fix" | eval patchAvailable=if(((patchPubDate>relative_time(now(),"-30d"))),"0d-30d",patchAvailable) | eval patchAvailable=if(((patchPubDate<relative_time(now(),"-30d")) AND (patchPubDate>relative_time(now(),"-60d"))),"30d-60d",patchAvailable) | eval patchAvailable=if(((patchPubDate<relative_time(now(),"-60d")) AND (patchPubDate>relative_time(now(),"-90d"))),"60d-90d",patchAvailable) | eval patchAvailable=if((patchPubDate<relative_time(now(),"-90d") AND (patchPubDate>relative_time(now(),"-180d"))), "90d-180d",patchAvailable) | eval patchAvailable=if((patchPubDate<relative_time(now(),"-180d") AND (patchPubDate>relative_time(now(),"-365d"))), "180d-365d", patchAvailable) | eval patchAvailable=if((patchPubDate<relative_time(now(),"-365d") AND (patchPubDate>0)), "365d+", patchAvailable) I understand most of this search, but I don't understand why Splunk would be giving this error. I've went over it with a finetoothed comb and I couldn't find any missing ")" symbols anywhere. There's no eval in the subsearch, and all the eval commands I see have the proper grammar for the program. Is it something to do with the fact that I copied this out of a larger dashboard?
... View more