Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help need to fix error "The expression is malformed. Expected LIKE." (Using rex and inputlookup)

ChrisCLewis
Communicator
‎08-15-2018 02:15 AM

Hi,

I am looking for some help on how to remove the malformed expression error coming from the query below, many thanks for your time:

index="test" Policies=policy1 Destination=@
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)"
| search Comp [| inputlookup test.csv | fields suspicious]
| table ref Comp date_month

The test.csv has 'app' permissions and |inputlookup test.csv shows the data from the csv.
The rex command works without the search (it extracts domains from email addresses)

Job inspector has a comment of
info : No matching fields exist

Job search has this line:
WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-15-2018 10:05 AM

Hi ChrisCLewis,
what's "Comp"?
if you want to use a lookup in a subsearch you have to put attention that the field name of the subsearch is the same of the main search, so if in the main search you have a field called suspicious, you can use a search like this:

index="test" Policies=policy1 Destination=@
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)" 
| search [ | inputlookup test.csv | fields suspicious ]
| table ref Comp date_month

if instead the field name in the main search is different (e.g. Comp), you have to rename field in the subsearch:

index="test" Policies=policy1 Destination=@
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)" 
| search [ | inputlookup test.csv | rename suspicious AS Comp | fields Comp ]
| table ref Comp date_month

In other words in main search and in subsearch you must have the same field name.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-15-2018 10:05 AM

Hi ChrisCLewis,
what's "Comp"?
if you want to use a lookup in a subsearch you have to put attention that the field name of the subsearch is the same of the main search, so if in the main search you have a field called suspicious, you can use a search like this:

index="test" Policies=policy1 Destination=@
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)" 
| search [ | inputlookup test.csv | fields suspicious ]
| table ref Comp date_month

if instead the field name in the main search is different (e.g. Comp), you have to rename field in the subsearch:

index="test" Policies=policy1 Destination=@
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)" 
| search [ | inputlookup test.csv | rename suspicious AS Comp | fields Comp ]
| table ref Comp date_month

In other words in main search and in subsearch you must have the same field name.

Bye.
Giuseppe

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-15-2018 03:34 AM

The error is not coming from your query, at least not directly. It's caused by a faulty auto-calculated field "url_length". If you can share the pan:threat stanza from your props.conf file we may be able to say how to correct it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎08-15-2018 03:54 AM

thank you for the reply, would you happen to know which folder to get it from? I can find over 20

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-15-2018 06:04 AM

Use btool. On the CLI, run $SPLUNK_HOME/bin/splunk btool -debug props list pan:threat. It will show the file(s) from which the attributes came.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎08-23-2018 06:53 AM

Thank you for your help the issues are being caused by not being able to grant the App permission to read the Lookup file & Lookup definitions

0 Karma
Reply
Solved! Jump to solution

ChrisCLewis
Communicator
‎08-15-2018 02:38 AM

For some reason the wildcards around the @ were removed when copied over the query. It should be Destination=@ , basically it is looking for emails.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-15-2018 03:31 AM

To keep that from happening, put backticks around your code or highlight the lines and press the Code button ("101010").

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...