https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517688#M145591 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225779">@KeaganJ</a>,</P><P>good!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 03 Sep 2020 09:52:15 GMT gcusello 2020-09-03T09:52:15Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517678#M145585 <P>Hi&nbsp;</P><P>I am getting the following error on my application/dashboard:<BR />"<SPAN>&nbsp;Error in 'eval' command: The expression is malformed."<BR /><BR />The query that is being triggered is:<BR /></SPAN></P><LI-CODE lang="javascript">| makeresults count=1 | eval id=$incident_id$| sendalert canary_acknowledge_incident param.incident_id=$incident_id$ param.index_name="main"</LI-CODE><DIV><DIV>&nbsp;</DIV><DIV><SPAN>And this is getting triggered when a Submit Button is being clicked.</SPAN></DIV><DIV><SPAN>The Submit button is tied to a Dropdown of values.</SPAN></DIV><DIV><SPAN><SPAN>The dropdown is populated with values and is defined as below:</SPAN></SPAN></DIV></DIV><LI-CODE lang="markup">&lt;input type="dropdown" token="incident_id" searchWhenChanged="false"&gt; &lt;label&gt;Incident to Close&lt;/label&gt; &lt;fieldForLabel&gt;id&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;id&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;`canary_tools_index` sourcetype="canarytools:incidents" | stats values(id) as id| mvexpand id&lt;/query&gt; &lt;earliest&gt;-30d@d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt;</LI-CODE><P><SPAN>And running that drop down populating query using the Search tool gives information such as:</SPAN></P><TABLE><TBODY><TR><TD>incident:canarytoken:80f36193721b94fb268bb6df:&lt;source_ip&gt;:&lt;epoch_timestamp&gt;</TD></TR><TR><TD>incident:canarytoken:80f36193721b94fb268bb6df:&lt;source_ip&gt;:&lt;epoch_timestamp&gt;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>Looking at previous questions asked on this forum point towards the field names of the `eval` command not working whenever they start with a numeric character. But this is not the case in my issues as I am using :<BR />`eval id=$incident_id$`</SPAN></P><P>&nbsp;</P><P><SPAN>This is happening on Splunk 8.0.0</SPAN></P> Thu, 03 Sep 2020 09:25:57 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517678#M145585 KeaganJ 2020-09-03T09:25:57Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517681#M145587 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225779">@KeaganJ</a>,</P><P>try to add quotes to the eval and sendalert commands:</P><LI-CODE lang="markup">| makeresults count=1 | eval id="$incident_id$" | sendalert canary_acknowledge_incident param.incident_id="$incident_id$" param.index_name="main"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 03 Sep 2020 09:35:18 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517681#M145587 gcusello 2020-09-03T09:35:18Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517685#M145590 <P>I managed to fix my issue by surrounding the variable in double quotes ie:</P><LI-CODE lang="markup">eval id="$incident_id$"</LI-CODE> Thu, 03 Sep 2020 09:45:43 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517685#M145590 KeaganJ 2020-09-03T09:45:43Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517688#M145591 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225779">@KeaganJ</a>,</P><P>good!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 03 Sep 2020 09:52:15 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517688#M145591 gcusello 2020-09-03T09:52:15Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517689#M145592 <P>Thanks&nbsp;<SPAN>Giuseppe Just saw your reply now as I refreshed the page. Your solution works great for me.</SPAN></P> Thu, 03 Sep 2020 09:52:56 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed/m-p/517689#M145592 KeaganJ 2020-09-03T09:52:56Z