Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'eval' command: The expression is malformed. Expected ).

bandit
Motivator
‎07-31-2013 11:29 AM 
# have a summary index which stores load averages
index=summary10min | table 10_min_load_avg

1   0.140000
2   0.720000
3   0.030000
4   0.080000
5   0.070000

# I'm trying to search the summary index for the max value from the last two events and store in a new field
# I'm getting a syntax error from the eval command
index=summary10min  | head 2 | eval 10_min_load_max=max(10_min_load_avg)

ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).

Reply

pgerke_cc
Explorer
‎07-09-2019 01:38 AM

I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:

rename results{}.dob.age as dob_age

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎07-31-2013 12:09 PM

Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:

| stats count 
| eval ten_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," ten_min_load_avg 
| eval ten_min_load_max=max(ten_min_load_avg)
| fields - count

And, you get this:

alt text

However, when you try this:

| stats count 
| eval 10_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," 10_min_load_avg 
| eval 10_min_load_max=max(10_min_load_avg)
| fields - count

You will get this:

alt text

So, rename your field to start with a alphabetic character and you are in business... 🙂

Reply

manmeet99
Explorer
‎11-18-2016 09:51 AM

Thank you sooo much! You saved me from ripping off all the hair on my head 🙂

Reply

bandit
Motivator
‎07-31-2013 12:56 PM

Gilberto, thanks so much for the rapid response and detailed explanation.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...