Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[|

sharma11031988
Explorer
‎03-28-2019 07:30 AM

Hello All,

I am trying to remove events from my Dashboards for a specific time frame using data input from lookup.

I was able to use something from a blog, https://answers.splunk.com/answers/659389/how-to-exclude-multiple-time-ranges-from-multiple.html , and use this code to remove events:(This is the only format with which I can remove my event) 

if(([| inputlookup exclusion.csv | convert timeformat="%b/%d/%Y %H:%M:%S" mktime(EndTime) mktime(StartTime) | eval search="_time>=".StartTime." AND _time<=".EndTime | return 500 $search]),"false","true")

However, when I enable acceleration on my Data model, I am getting a syntax error for a condition put in DM like this, while same works fine without acceleration

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '[| inputlookup exclusion.csv | convert timeformat="%b/%d/%Y %H:%M:%S" mktime(EndTime) mktime(StartTime) | eval search="_time>=".StartTime." AND _time<=".EndTime | return 500 $search] ,"false","true")'

Can anyone help me figure out what am I doing wrong?

Tags (2)
0 Karma
Reply

samsplunks
Explorer
‎09-13-2023 02:41 AM

Hard a hard time debugging that one.

It only works if your SPL code with subquery return is in a dashboard "base search".

<dashboard>
  <label>My dashboard title</label>
<search id="parent_search_1">
    <query>``` put your query here with your subquery return $ ```</query>
</search>
<row>
<panel>
<table>
<title>My child visualization</title>
<search base="parent_search_1">
<query>``` have the rest of your query there ```</query>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...