Solved: Re: Error in 'where' command: The expression is ma...

sumarri

So I am creating a dashboard and I keep getting this error:

Error in 'where' command: The expression is malformed. Expected ).

This is what I have:

| loadjob savedsearch="name:search:cust_info"
| where AccountType IN ($AccountType$)

I created a multiselect filter on AccountType and I want the SPL to query on those selected.

What could I be missing or another way to achieve this query to filter on AccountType?

sumarri

I have soled the issue.

I needed to add quotes to the AccountType:

| where AccountType IN ("$AccountType$")

I also needed to change the delimiter:

<delimiter>,</delimiter>

This solved the problem for me! Thank you!

View solution in original post

sumarri

I have soled the issue.

I needed to add quotes to the AccountType:

| where AccountType IN ("$AccountType$")

I also needed to change the delimiter:

<delimiter>,</delimiter>

This solved the problem for me! Thank you!

richgalloway

The IN operator only works in the search command. In where you must use the in function.

| loadjob savedsearch="name:search:cust_info"
| where in(AccountType,$AccountType$)

---
If this reply helps you, Karma would be appreciated.

sumarri

Hey! I still get the same error. But thank you for trying! Let me know if something else clicks. Thank you.

richgalloway

What does the $AccountType$ token expand to?

---
If this reply helps you, Karma would be appreciated.

sumarri

So, it is expected to get the AccountTypes selected from the user on the dashboard from the multiselect filter.

Error in 'where' command: The expression is malformed. Expected ).

other

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...