Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- [Resolved]Splunk eval - Error in 'eval' command: T...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Resolved]Splunk eval - Error in 'eval' command: The expression is malformed.
cheriemilk
Path Finder
12-04-2019
07:22 PM
Hi team,
I got error 'Error in 'eval' command: The expression is malformed. ' when running below query. Guess it's because the double quote in the the source log. How to get rid of this?
| makeresults
| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN="Jessica" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID="EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1" AGN="\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3="\[tsv2##jobinfo\]" C_ktf4="\[gender,location\]" C_if1="21" C_ktf2="\[Background_Criteria,Profile_Criteria\]" C_bf1="false" C_bf2="false" "
| makemv delim=";" log
| mvexpand log
| rex field=log "ktf2=\"\[(?P(.*))\"\]"
| makemv delim="," ktf2
| eval ktf2= ltrim(ktf2)
| stats count by ktf2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-05-2019
08:07 AM
Missed it by >that< much; you need to escape your double-quotes among other minor problems; try this:
| makeresults
| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"\[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B****** TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"\[tsv2##jobinfo\]\" C_ktf4=\"\[gender,location\]\" C_if1=\"21\" C_ktf2=\"\[Background_Criteria,Profile_Criteria\]\" C_bf1=\"false\" C_bf2=\"false\""
| makemv delim=";" log
| mvexpand log
| rename log AS _raw
| kv
| table C_ktf2
| rename C_ktf2 AS ktf2
| rex field=ktf2 mode=sed "s/\\\\\[|\\\\\]//g"
| makemv delim="," ktf2
| eval ktf2= ltrim(ktf2)
| stats count by ktf2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
12-04-2019
07:37 PM
Hi
Try with escaping double quote
| eval log=" 2019-12-03 15:03:10,068 PLV=EVENT CIP=127.0.0.1 CMID=Jessica CMN=\"Jessica\" SN=SCM_Jessica. DPN=dbPool1 UID=cgrant UN=cgrant LOC=en_US EID=\"EVENT-UNKNOWN-UNKNOWN-B11S42AEFSEL-20191203150210-0020-1\" AGN=\"[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36]\" RDT=28579 SVT=4349 EET=28680 JSC=104 CSSC=30 CAID=2590715431-1 MID=SUCCESSION PID=SUCCESSION_TALENT_SEARCH PQ=SUCCESSION_TALENT_SEARCH_V12 ACT=SEARCH MEM=313253 CPU=1437 UCPU=1348 SCPU=89 FRE=527 FWR=0 NRE=1438 NWR=189 SQLC=236 SQLT=1808 SID=DE13EDE047CBBADFA8C93E984B* TRS=- TIP=- TML=- TSL=- ST=1575356561147 ET=1575356589827 TTB=733 RED=- RSR=750 DIA=1223 DCP=1400 C_ktf3=\"[tsv2##jobinfo]\" C_ktf4=\"[gender,location]\" C_if1=\"21\" C_ktf2=\"[Background_Criteria,Profile_Criteria]\" C_bf1=\"false\" C_bf2=\"false\" "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cheriemilk
Path Finder
12-05-2019
12:20 AM
@vnravikumar , Thank you and it works
Get Updates on the Splunk Community!
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies
Olga Malita
The ...
