Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Error in 'eval' command: The expression is malformed. Expected ).

bandit
Motivator
‎07-31-2013 11:29 AM 
# have a summary index which stores load averages
index=summary10min | table 10_min_load_avg

1   0.140000
2   0.720000
3   0.030000
4   0.080000
5   0.070000

# I'm trying to search the summary index for the max value from the last two events and store in a new field
# I'm getting a syntax error from the eval command
index=summary10min  | head 2 | eval 10_min_load_max=max(10_min_load_avg)

ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).

Reply

pgerke_cc
Explorer
‎07-09-2019 01:38 AM

I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:

rename results{}.dob.age as dob_age

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-31-2013 12:09 PM

Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:

| stats count 
| eval ten_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," ten_min_load_avg 
| eval ten_min_load_max=max(ten_min_load_avg)
| fields - count

And, you get this:

alt text

However, when you try this:

| stats count 
| eval 10_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," 10_min_load_avg 
| eval 10_min_load_max=max(10_min_load_avg)
| fields - count

You will get this:

alt text

So, rename your field to start with a alphabetic character and you are in business... 🙂

Reply

manmeet99
Explorer
‎11-18-2016 09:51 AM

Thank you sooo much! You saved me from ripping off all the hair on my head 🙂

Reply

bandit
Motivator
‎07-31-2013 12:56 PM

Gilberto, thanks so much for the rapid response and detailed explanation.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...