Splunk Search

Problem with case statement using eval

selinakvle
Explorer

Hi all,

Getting this error:

Error in 'eval' command: The expression is malformed. Expected ).

I'm following the following tutorial:

https://www.splunk.com/blog/2017/06/01/enhancing-splunk-visualizations-with-mapbox.html

Everything was going fine until I got to the part of the search where I had to add the eval case statement color parameters. Can someone tell me where I'm going wrong? Thanks!

sourcetype="test" severity="critical" | iplocation src prefix=start_ | iplocation dest prefix=end_ | search start_Country="*" end_Country="*" | table start_lat start_lon end_lat end_lon app | eval animate="yes", pulse_at_start="yes" | eval color = case (
match(app, "ssh"), "#c0392b"
    match(app, "web-browsing"), "#e67e22",
    match(app, "unknown-tcp"), "#f1c40f",
    match(app, "webdav"), "#27ae60",
    1==1, "#7f8c8d")

It doesn't look like I'm missing anything..but then again..Its always better with another set of eyes:)

Tags (2)
0 Karma
1 Solution

martinpu
Communicator

Missing a comma after first match, this should help

sourcetype="test" severity="critical" 
    | iplocation src prefix=start_ 
    | iplocation dest prefix=end_ 
    | search start_Country="*" end_Country="*" 
    | table start_lat start_lon end_lat end_lon app 
    | eval animate="yes", pulse_at_start="yes" 
    | eval color = case (
        match(app, "ssh"), "#c0392b",
        match(app, "web-browsing"), "#e67e22",
        match(app, "unknown-tcp"), "#f1c40f",
        match(app, "webdav"), "#27ae60",
        1==1, "#7f8c8d")

Additionally, one useful thing for formatting your queries, if you press CTRL and \ at the same time while in the search window, your query gets automatically formatted to be readable, try it out, it makes troubleshooting queries a lot easier.

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You're missing a comma on line 2. Fix that and it will work

0 Karma

selinakvle
Explorer

Thank you...face palm

0 Karma

martinpu
Communicator

Missing a comma after first match, this should help

sourcetype="test" severity="critical" 
    | iplocation src prefix=start_ 
    | iplocation dest prefix=end_ 
    | search start_Country="*" end_Country="*" 
    | table start_lat start_lon end_lat end_lon app 
    | eval animate="yes", pulse_at_start="yes" 
    | eval color = case (
        match(app, "ssh"), "#c0392b",
        match(app, "web-browsing"), "#e67e22",
        match(app, "unknown-tcp"), "#f1c40f",
        match(app, "webdav"), "#27ae60",
        1==1, "#7f8c8d")

Additionally, one useful thing for formatting your queries, if you press CTRL and \ at the same time while in the search window, your query gets automatically formatted to be readable, try it out, it makes troubleshooting queries a lot easier.

selinakvle
Explorer

Thank you, I feel dumb now.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

No need to feel dumb, everyone goes through this and understands the missing parenthesis error message doesn't always mean the parenthesis are missing

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...