https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485223#M15306 <P>everything works before | eval part , I guess we cannot use eval with stats ? </P> Mon, 23 Sep 2019 19:41:46 GMT simingmplatform 2019-09-23T19:41:46Z https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485222#M15305 <P>Hi ALL, <BR /> need help for a using case here. </P> <P>we are trying to setup alert based on below data <BR /> value1 ( the average of past 7days since yesterday) <BR /> value2 ( the average of yesterday's day) </P> <P>if value2 is lower than 70% of value1 , trigger alerts. <BR /> below is what I use to setup this query </P> <P>index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-7d@d latest=-2d@d | stats avg(value) as 7day by desc | appendcols [ search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-2d@d latest=-1d@d | stats avg(value) as 1day by desc] | eval diff=(7day-1day) </P> <P>but it always return me <BR /> Error in 'eval' command: The expression is malformed. Expected ).</P> <P>any idea ? thx a lot </P> Mon, 23 Sep 2019 19:33:06 GMT https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485222#M15305 simingmplatform 2019-09-23T19:33:06Z https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485223#M15306 <P>everything works before | eval part , I guess we cannot use eval with stats ? </P> Mon, 23 Sep 2019 19:41:46 GMT https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485223#M15306 simingmplatform 2019-09-23T19:41:46Z https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485224#M15307 <P>Yes, <CODE>eval</CODE> is allowed with <CODE>stats</CODE>. The problem appears to be with the field names which begin with digits. Put them inside single quotes to force Splunk to treat them as field names. <CODE>... | eval diff=('7day'-'1day')</CODE></P> Mon, 23 Sep 2019 19:59:34 GMT https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485224#M15307 richgalloway 2019-09-23T19:59:34Z https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485225#M15308 <P>You may want to consider using multisearch:</P> <PRE><CODE>| multisearch [search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-7d@d latest=-2d@d | stats avg(value) as prevWeek] [search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-2d@d latest=-1d@d | stats avg(value) as prevDay] | eval alert=if(prevDay&lt;(prevWeek*0.7),"Alert","No alert") </CODE></PRE> <P>It doesn't look like you need a "by" clause in your stats, since there is only 1 value for desc.</P> Mon, 23 Sep 2019 20:08:10 GMT https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485225#M15308 jpolvino 2019-09-23T20:08:10Z https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485226#M15309 <P>correct, its after we use day7 and day1 , issue is gone, thx </P> Tue, 24 Sep 2019 12:46:57 GMT https://community.splunk.com/t5/Security/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/485226#M15309 simingmplatform 2019-09-24T12:46:57Z