Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Nested "Where" Commands - Error: The expression is malformed

rescobar713
Path Finder
‎06-25-2015 11:52 AM

I'm trying to filter the results of a search based on the results of a (pretty complex) subsearch using the where command.

Here is what my search looks like right now (spacing and line breaks added for clarity):

    ... | where [search ... | 

     where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] 
        | fields title] | 
    ...

When I run this, I keep getting the following error:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ')'.

When I run the contents of the first (outermost) where command, like this:

... | where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] | fields title

Everything runs perfectly fine, and I get the results I expect.

Is something wrong with my syntax? Is there a problem with having too many nested where commands? title is a field in the main search, so I assumed I could just use where to filter out all titles that weren't found by my subsearch (i.e. where title="title1" OR title="title2"...).

The error seems to be occurring at the very end of the outermost where, because when I add extraneous characters (like "asdf") to the end of the entire search I get this:

Error in 'where' command: The expression is malformed. An unexpected character is reached at ') asdf'.

Sorry if this isn't enough information to help. I can say that this search was working perfectly about a week ago, but when I re-indexed the data to account for new information, it started giving me this error. I've broken down the search into each individual subsearch and everything works fine, but when I try to put it all together into one big search it just won't work.

Any help would be greatly appreciated

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2015 02:38 AM

If you can, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then restart Splunk. This will add debug messages to the top of the job inspector, including what strings your subsearches evaluated to. Use this to troubleshoot.
H/T to @ChrisG 🙂

Reply

lguinn2
Legend
‎06-26-2015 11:31 AM

Nice - I didn't know this one!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2015 11:54 AM

I think it's been added to the docs this week 😄

0 Karma
Reply

lguinn2
Legend
‎06-25-2015 11:58 PM

This is very difficult to read with all the ellipses.

Why do you need the where commands at all? Why not just put the subsearches into the main search? I am having trouble understanding what you are trying to do - and I feel like there might be a more efficient way to do it.

If I had to guess, I would say that you are missing a final ]

You should take a look at the search job inspector, as it may show you how the sub-searches were expanded. However, sometimes the search job inspector isn't very informative when there is a syntax problem.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...