- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eval with malformed in my nested if. Expected (.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval with malformed in my nested if. Expected (.
Hi,
Need help urgently. I am running Splunk command in batch file but I keep on getting
FATAL: Error in 'eval' command: The expression is malformed. Expected ).
This is my command:
eval 1Status=if(Test_Result=""Passed"","No Issue",if(PreviousResult>0,"Known","New"))
Can anyone tell me what is wrong with this command?
Thank you so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@peiyee422 Does your Test_Result value actually contain double quote in it?
If Not try the following:
| eval 1Status=if(Test_Result="Passed","No Issue",if(PreviousResult>0,"Known","New"))
If Not try the following which escapes double quotes in eval using \":
| eval 1Status=if(Test_Result="\"Passed\"","No Issue",if(PreviousResult>0,"Known","New"))
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it is not working in these ways.
This is because I am running them in a batch file, it needs a escape brackets.
BUT I replaced the if statement with case:
eval Test_Status=case(Test_Result=""Passed"",""No Issue"",PreviousResult>0,""Known Issue"", PreviousResult=0,""New"")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by running them in a batch file. Also are you still getting error? What do you mean by it is not working?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I run the query in a batch file, still getting the same error.
Anyways, issue solved by using CASE.
Thank you so much for the comments!! 🙂 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know. Please post your solution and accept the same as answer to mark this question as answered!
Do up vote the comment/s that helped!
| makeresults | eval message= "Happy Splunking!!!"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
