Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

eval with malformed in my nested if. Expected (.

peiyee422
New Member
‎08-26-2018 07:54 PM

Hi,

Need help urgently. I am running Splunk command in batch file but I keep on getting
FATAL: Error in 'eval' command: The expression is malformed. Expected ).

This is my command:
eval 1Status=if(Test_Result=""Passed"","No Issue",if(PreviousResult>0,"Known","New"))
Can anyone tell me what is wrong with this command?

Thank you so much!

Tags (3)
0 Karma
Reply

niketn
Legend
‎08-26-2018 08:07 PM

@peiyee422 Does your Test_Result value actually contain double quote in it?

If Not try the following:

| eval 1Status=if(Test_Result="Passed","No Issue",if(PreviousResult>0,"Known","New"))

If Not try the following which escapes double quotes in eval using \":

| eval 1Status=if(Test_Result="\"Passed\"","No Issue",if(PreviousResult>0,"Known","New"))
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

peiyee422
New Member
‎08-26-2018 08:24 PM

Hi, it is not working in these ways.
This is because I am running them in a batch file, it needs a escape brackets.

BUT I replaced the if statement with case:
eval Test_Status=case(Test_Result=""Passed"",""No Issue"",PreviousResult>0,""Known Issue"", PreviousResult=0,""New"")

0 Karma
Reply

niketn
Legend
‎08-27-2018 09:59 PM

What do you mean by running them in a batch file. Also are you still getting error? What do you mean by it is not working?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

peiyee422
New Member
‎08-28-2018 12:53 AM

I run the query in a batch file, still getting the same error.
Anyways, issue solved by using CASE.
Thank you so much for the comments!! 🙂 🙂

0 Karma
Reply

niketn
Legend
‎08-28-2018 01:18 AM

Good to know. Please post your solution and accept the same as answer to mark this question as answered!

Do up vote the comment/s that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...