Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'eval' command: The expression is malformed. Expected

simingmplatform
New Member
‎09-23-2019 12:33 PM

Hi ALL,
need help for a using case here.

we are trying to setup alert based on below data
value1 ( the average of past 7days since yesterday)
value2 ( the average of yesterday's day)

if value2 is lower than 70% of value1 , trigger alerts.
below is what I use to setup this query

index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-7d@d latest=-2d@d | stats avg(value) as 7day by desc | appendcols [ search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-2d@d latest=-1d@d | stats avg(value) as 1day by desc] | eval diff=(7day-1day)

but it always return me
Error in 'eval' command: The expression is malformed. Expected ).

any idea ? thx a lot

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2019 12:59 PM

Yes, eval is allowed with stats. The problem appears to be with the field names which begin with digits. Put them inside single quotes to force Splunk to treat them as field names. ... | eval diff=('7day'-'1day')

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jpolvino
Builder
‎09-23-2019 01:08 PM

You may want to consider using multisearch:

| multisearch
[search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-7d@d latest=-2d@d | stats avg(value) as prevWeek]
[search index=main topoName=EnrichmentTopology datacenter=NA desc=ENR131 earliest=-2d@d latest=-1d@d | stats avg(value) as prevDay]
| eval alert=if(prevDay<(prevWeek*0.7),"Alert","No alert")

It doesn't look like you need a "by" clause in your stats, since there is only 1 value for desc.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2019 12:59 PM

Yes, eval is allowed with stats. The problem appears to be with the field names which begin with digits. Put them inside single quotes to force Splunk to treat them as field names. ... | eval diff=('7day'-'1day')

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

simingmplatform
New Member
‎09-24-2019 05:46 AM

correct, its after we use day7 and day1 , issue is gone, thx

0 Karma
Reply
Solved! Jump to solution

simingmplatform
New Member
‎09-23-2019 12:41 PM

everything works before | eval part , I guess we cannot use eval with stats ?

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...