Solved: Why Splunk is telling me that my eval expression i...

tcmarquesi · ‎09-12-2016

I'm trying to evaluate the normal distribuiton's PDF into my search as follows:

... | eval prob=(1/sqrt(2*pi()*sigma^2))*exp(-((x-mi)^2)/(2*sigma^2))

And I'm getting this error message:

Error in 'eval' command: The expression is malformed. Expected ).

What am I doing wrong? I tested the expression on Excel and it works fine...

sundareshr · ‎09-12-2016

I haven't tested this, but at first glance, it could be because of the the power of function. Change all occurences of sigma^2 to pow(sigma, 2). So your formula s/b written like this

(1/sqrt(2*pi()*pow(sigma,2)))*exp(-(pow((x-mi),2))/(2*pow(sigma, 2)))

View solution in original post

sundareshr · ‎09-12-2016

I haven't tested this, but at first glance, it could be because of the the power of function. Change all occurences of sigma^2 to pow(sigma, 2). So your formula s/b written like this

(1/sqrt(2*pi()*pow(sigma,2)))*exp(-(pow((x-mi),2))/(2*pow(sigma, 2)))

tcmarquesi · ‎09-12-2016

Thank you!

Why Splunk is telling me that my eval expression is malformed?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?