Splunk Search

What's wrong with this eval statement? Getting 'Error in 'eval' command: The expression is malformed. Expected ). ' Error.

sarwshai
Communicator

This is the eval statement i am using along with case but getting error.

eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)

0 Karma
1 Solution

sarwshai
Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

View solution in original post

0 Karma

sarwshai
Communicator

Ughh, My bad! i copied the search from the earlier dashboard's source XML and pasted into search box, this '>' sign was and is present as ';' in the dashboard xml , that is why it was giving error. Otherwise the eval statement is correct.

0 Karma

woodcock
Esteemed Legend

Click Accept on your answer here to close the question.

0 Karma

woodcock
Esteemed Legend

You must ensure that all fields based on severity ( critical, high, etc. ) are all numbers or you will get an error, so try this:

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational") 
| stats dc(signature) as vuln_count count by severity,dest 
| chart useother=`useother` first(vuln_count) over dest by severity
| foreach critical high medium low informational
   [ rex field=<<FIELD>> mode=sed "s/[\r\n\s]//g" | eval <<FIELD>>=tonumber(<<FIELD>>) ]
| eval total=case(
   critical>0 AND high>0,         critical+high,
   critical>0,                    critical,
   high>0,                        high,
   true(),                        0) 
| eval subTotal=case(
   medium>0 AND low>0,            medium+low,
   medium>0,                      medium,
   low>0,                         low,
   true(),                        0) 
| eval subSubTotal=case(
   informational>0 AND unknown>0, informational+unknown,
   informational>0,               informational,
   unknown>0,                     unknown,
   true(),                        0)

sarwshai
Communicator

@xpac, No i checked for all brackets, all is perfect.
Here is the full query,

index=nessus sourcetype=nessus:scan (severity = "critical" OR severity = "high" OR severity = "medium" OR severity = "low" OR severity = "informational")
| stats dc(signature) as vuln_count count by severity,dest
| chart useother=useother first(vuln_count) over dest by severity
| eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0)
| eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0)
| eval subSubTotal=case(informational>0 AND unknown>0,informational+unknown,informational>0,informational,unknown>0,unknown,1==1,0)

I am getting error for all the eval statements here @woodcock

0 Karma

woodcock
Esteemed Legend

I still do not get any errors.

0 Karma

sarwshai
Communicator

Do you have logs from nessus? If so , can you kindly share the results?, don't know why i am getting that error?

0 Karma

xpac
SplunkTrust
SplunkTrust

I just put that search into my Splunk, and it is perfectly valid.
The only thing that I had to remove is the useother=´useother´ part - because I don't have that macro.
Just in case, can you post the content of that macro?

0 Karma

sarwshai
Communicator

'useother'=true
That's it.

0 Karma

woodcock
Esteemed Legend

It does not give an error for me.

0 Karma

xpac
SplunkTrust
SplunkTrust

Do you have any other ( or )in the rest of your query?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...