https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20871#M3333 <P>Gilberto, thanks so much for the rapid response and detailed explanation.</P> Wed, 31 Jul 2013 19:56:58 GMT bandit 2013-07-31T19:56:58Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20869#M3331 <PRE><CODE># have a summary index which stores load averages index=summary10min | table 10_min_load_avg 1 0.140000 2 0.720000 3 0.030000 4 0.080000 5 0.070000 # I'm trying to search the summary index for the max value from the last two events and store in a new field # I'm getting a syntax error from the eval command index=summary10min | head 2 | eval 10_min_load_max=max(10_min_load_avg) </CODE></PRE> <P>ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).</P> Wed, 31 Jul 2013 18:29:51 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20869#M3331 bandit 2013-07-31T18:29:51Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20870#M3332 <P>Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:</P> <PRE><CODE>| stats count | eval ten_min_load_avg="1,2,3,3,4,5" | makemv delim="," ten_min_load_avg | eval ten_min_load_max=max(ten_min_load_avg) | fields - count </CODE></PRE> <P>And, you get this:</P> <H2><IMG src="http://splunk-base.splunk.com//storage/Untitled1003.png" alt="alt text" /></H2> <P>However, when you try this:</P> <PRE><CODE>| stats count | eval 10_min_load_avg="1,2,3,3,4,5" | makemv delim="," 10_min_load_avg | eval 10_min_load_max=max(10_min_load_avg) | fields - count </CODE></PRE> <P>You will get this:</P> <P><IMG src="http://splunk-base.splunk.com//storage/Untitled1004.png" alt="alt text" /></P> <P>So, rename your field to start with a alphabetic character and you are in business... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 31 Jul 2013 19:09:53 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20870#M3332 Gilberto_Castil 2013-07-31T19:09:53Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20871#M3333 <P>Gilberto, thanks so much for the rapid response and detailed explanation.</P> Wed, 31 Jul 2013 19:56:58 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20871#M3333 bandit 2013-07-31T19:56:58Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20872#M3334 <P>Thank you sooo much! You saved me from ripping off all the hair on my head <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Fri, 18 Nov 2016 17:51:35 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20872#M3334 manmeet99 2016-11-18T17:51:35Z https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20873#M3335 <P>I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:</P> <P><CODE>rename results{}.dob.age as dob_age</CODE></P> Tue, 09 Jul 2019 08:38:07 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-eval-command-The-expression-is-malformed-Expected/m-p/20873#M3335 pgerke_cc 2019-07-09T08:38:07Z