Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: The expression is malformed. Expected ).

bandit
Motivator
‎07-31-2013 11:29 AM 
# have a summary index which stores load averages
index=summary10min | table 10_min_load_avg

1   0.140000
2   0.720000
3   0.030000
4   0.080000
5   0.070000

# I'm trying to search the summary index for the max value from the last two events and store in a new field
# I'm getting a syntax error from the eval command
index=summary10min  | head 2 | eval 10_min_load_max=max(10_min_load_avg)

ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).

Reply

pgerke_cc
Explorer
‎07-09-2019 01:38 AM

I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:

rename results{}.dob.age as dob_age

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-31-2013 12:09 PM

Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:

| stats count 
| eval ten_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," ten_min_load_avg 
| eval ten_min_load_max=max(ten_min_load_avg)
| fields - count

And, you get this:

alt text

However, when you try this:

| stats count 
| eval 10_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," 10_min_load_avg 
| eval 10_min_load_max=max(10_min_load_avg)
| fields - count

You will get this:

alt text

So, rename your field to start with a alphabetic character and you are in business... 🙂

Reply

manmeet99
Explorer
‎11-18-2016 09:51 AM

Thank you sooo much! You saved me from ripping off all the hair on my head 🙂

Reply

bandit
Motivator
‎07-31-2013 12:56 PM

Gilberto, thanks so much for the rapid response and detailed explanation.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...