Splunk Search

What's wrong with this eval statement? Getting 'Error in 'eval' command: The expression is malformed. Expected ). ' Error.

sarwshai
Communicator

This is the eval statement i am using along with case but getting error.

eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)

0 Karma
1 Solution

sarwshai
Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

View solution in original post

0 Karma

sarwshai
Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

0 Karma

woodcock
Esteemed Legend

Click Accept on your answer here to close the question.

0 Karma

woodcock
Esteemed Legend

You must ensure that all fields based on severity ( critical, high, etc. ) are all numbers or you will get an error, so try this:

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational") 
| stats dc(signature) as vuln_count count by severity,dest 
| chart useother=`useother` first(vuln_count) over dest by severity
| foreach critical high medium low informational
   [ rex field=<<FIELD>> mode=sed "s/[\r\n\s]//g" | eval <<FIELD>>=tonumber(<<FIELD>>) ]
| eval total=case(
   critical>0 AND high>0,         critical+high,
   critical>0,                    critical,
   high>0,                        high,
   true(),                        0) 
| eval subTotal=case(
   medium>0 AND low>0,            medium+low,
   medium>0,                      medium,
   low>0,                         low,
   true(),                        0) 
| eval subSubTotal=case(
   informational>0 AND unknown>0, informational+unknown,
   informational>0,               informational,
   unknown>0,                     unknown,
   true(),                        0)

sarwshai
Communicator

@xpac, No i checked for all brackets, all is perfect.
Here is the full query,

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=useother first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)

I am getting error for all the eval statements here @woodcock

0 Karma

woodcock
Esteemed Legend

I still do not get any errors.

0 Karma

sarwshai
Communicator

Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?

0 Karma

xpac
SplunkTrust
SplunkTrust

I just put that search into my Splunk, and it is perfectly valid.
The only thing that I had to remove is the useother=´useother´ part - because I don't have that macro.
Just in case, can you post the content of that macro?

0 Karma

sarwshai
Communicator

'useother'=true
That's it.

0 Karma

woodcock
Esteemed Legend

It does not give an error for me.

0 Karma

xpac
SplunkTrust
SplunkTrust

Do you have any other ( or )in the rest of your query?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...