- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problem with case statement using eval
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Getting this error:
Error in 'eval' command: The expression is malformed. Expected ).
I'm following the following tutorial:
https://www.splunk.com/blog/2017/06/01/enhancing-splunk-visualizations-with-mapbox.html
Everything was going fine until I got to the part of the search where I had to add the eval case statement color parameters. Can someone tell me where I'm going wrong? Thanks!
sourcetype="test" severity="critical" | iplocation src prefix=start_ | iplocation dest prefix=end_ | search start_Country="*" end_Country="*" | table start_lat start_lon end_lat end_lon app | eval animate="yes", pulse_at_start="yes" | eval color = case (
match(app, "ssh"), "#c0392b"
match(app, "web-browsing"), "#e67e22",
match(app, "unknown-tcp"), "#f1c40f",
match(app, "webdav"), "#27ae60",
1==1, "#7f8c8d")
It doesn't look like I'm missing anything..but then again..Its always better with another set of eyes:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing a comma after first match, this should help
sourcetype="test" severity="critical"
| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app
| eval animate="yes", pulse_at_start="yes"
| eval color = case (
match(app, "ssh"), "#c0392b",
match(app, "web-browsing"), "#e67e22",
match(app, "unknown-tcp"), "#f1c40f",
match(app, "webdav"), "#27ae60",
1==1, "#7f8c8d")
Additionally, one useful thing for formatting your queries, if you press CTRL and \ at the same time while in the search window, your query gets automatically formatted to be readable, try it out, it makes troubleshooting queries a lot easier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're missing a comma on line 2. Fix that and it will work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you...face palm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing a comma after first match, this should help
sourcetype="test" severity="critical"
| iplocation src prefix=start_
| iplocation dest prefix=end_
| search start_Country="*" end_Country="*"
| table start_lat start_lon end_lat end_lon app
| eval animate="yes", pulse_at_start="yes"
| eval color = case (
match(app, "ssh"), "#c0392b",
match(app, "web-browsing"), "#e67e22",
match(app, "unknown-tcp"), "#f1c40f",
match(app, "webdav"), "#27ae60",
1==1, "#7f8c8d")
Additionally, one useful thing for formatting your queries, if you press CTRL and \ at the same time while in the search window, your query gets automatically formatted to be readable, try it out, it makes troubleshooting queries a lot easier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I feel dumb now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to feel dumb, everyone goes through this and understands the missing parenthesis error message doesn't always mean the parenthesis are missing
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
