Splunk Search

Why do I receive "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”%Y-%m-%d %H:%M”)'." in my Splunk Light search?

tomasnelson
Explorer

Hi everyone !
I am a new user in Splunk (Great application and these days very useful); I read this document and I tried to reproduce the search but in my Splunk Free it does not work, reporting this error: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”%Y-%m-%d %H:%M”)'.

There is some limitation with my version? or the article is have something wrong ? I can not identify the solution...
please help...!!!!

https://www.splunk.com/blog/2016/08/12/detecting-early-signs-of-compromise-using-windows-sysinternal...

0 Karma
1 Solution

woodcock
Esteemed Legend

You have the @!#$%^&* Microsoft Windows left-and-right double-quotes ( and )instead of the correct ambiguous one ( " ).

View solution in original post

0 Karma

woodcock
Esteemed Legend

You have the @!#$%^&* Microsoft Windows left-and-right double-quotes ( and )instead of the correct ambiguous one ( " ).

0 Karma

tomasnelson
Explorer

Thanks a lot..... woodcock 😃
finally i see the error with your comment. ;=)

0 Karma

tomasnelson
Explorer

I think I expressed myself wrong, I leave a more explicit picture about the error:alt text

0 Karma

woodcock
Esteemed Legend

You probably forgot the comma between the field namd and the time expression. So you have something like eval foo=strfime(bar "%Y-%m-%d %H:%M") instead of eval foo=strfime(bar, "%Y-%m-%d %H:%M").

0 Karma

adonio
Ultra Champion

hello tomasnelson,
remove the singe quotes ' ' all you need is this: eval blah = srftime(_time, ”%Y-%m-%d %H:%M”)

0 Karma

adonio
Ultra Champion

hello tomasnelson,
remove the singe quotes ' ' all you need is this: eval blah = srftime(_time, ”%Y-%m-%d %H:%M”)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...