Re: Error in 'eval' command: The expression is mal...

bandit · ‎07-31-2013

# have a summary index which stores load averages
index=summary10min | table 10_min_load_avg

1   0.140000
2   0.720000
3   0.030000
4   0.080000
5   0.070000

# I'm trying to search the summary index for the max value from the last two events and store in a new field
# I'm getting a syntax error from the eval command
index=summary10min  | head 2 | eval 10_min_load_max=max(10_min_load_avg)

ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).

pgerke_cc · ‎07-09-2019

I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:

rename results{}.dob.age as dob_age

Gilberto_Castil · ‎07-31-2013

Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:

| stats count 
| eval ten_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," ten_min_load_avg 
| eval ten_min_load_max=max(ten_min_load_avg)
| fields - count

And, you get this:

However, when you try this:

| stats count 
| eval 10_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," 10_min_load_avg 
| eval 10_min_load_max=max(10_min_load_avg)
| fields - count

You will get this:

So, rename your field to start with a alphabetic character and you are in business... 🙂

manmeet99 · ‎11-18-2016

Thank you sooo much! You saved me from ripping off all the hair on my head 🙂

bandit · ‎07-31-2013

Gilberto, thanks so much for the rapid response and detailed explanation.

Error in 'eval' command: The expression is malformed. Expected ).

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!