Solved: Why is my search producing error "Error in 'eval' ...

TheJagoff · ‎05-23-2016

When I enter this search:

sourcetype=win*
(EventCode=4624 OR EventCode=4634)| stats latest(eval(if(EventCode=4624,_time, null()))) as logon_time, latest(eval(if(EventCode=4634,_time,null()))) as logoff_time by User
| eval logoff_time = if(logoff_time < logon_time OR isnull(logoff_time), “Session in Progress”, logoff_time)

I get the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“Session in Progress”, logoff_time)'.

I can't seem to see where I messed up. Any help or ideas are most appreciated.

Thanks

woodcock · ‎05-23-2016

It is almost certainly because you are using Windows/handed/slanted double-quotes (“ ”) instead of low-ASCII/unhanded ("). Cut and paste THIS ONE -> ".

View solution in original post

woodcock · ‎05-23-2016

It is almost certainly because you are using Windows/handed/slanted double-quotes (“ ”) instead of low-ASCII/unhanded ("). Cut and paste THIS ONE -> ".

TheJagoff · ‎05-23-2016

As usual - you are absolutely correct sir. Many many thanks!

Why is my search producing error "Error in 'eval' command: The expression is malformed..."?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms