Splunk Search

Error in 'eval' command: The expression is malformed. Expected ).

bandit
Motivator
# have a summary index which stores load averages
index=summary10min | table 10_min_load_avg

1   0.140000
2   0.720000
3   0.030000
4   0.080000
5   0.070000

# I'm trying to search the summary index for the max value from the last two events and store in a new field
# I'm getting a syntax error from the eval command
index=summary10min  | head 2 | eval 10_min_load_max=max(10_min_load_avg)

ERROR MESSAGE: Error in 'eval' command: The expression is malformed. Expected ).

pgerke_cc
Explorer

I got a simmilar problem, but with {} in the fieldname. I guess any other special characters in the field name is problematic and require a rename of the inputfieldname. Had to rename the field like this to make it work:

rename results{}.dob.age as dob_age

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Splunk does not like it when a field name, or variable, starts with a numeric assignment. For example, when I run this:

| stats count 
| eval ten_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," ten_min_load_avg 
| eval ten_min_load_max=max(ten_min_load_avg)
| fields - count

And, you get this:

alt text

However, when you try this:

| stats count 
| eval 10_min_load_avg="1,2,3,3,4,5" 
| makemv delim="," 10_min_load_avg 
| eval 10_min_load_max=max(10_min_load_avg)
| fields - count

You will get this:

alt text

So, rename your field to start with a alphabetic character and you are in business... 🙂

manmeet99
Explorer

Thank you sooo much! You saved me from ripping off all the hair on my head 🙂

bandit
Motivator

Gilberto, thanks so much for the rapid response and detailed explanation.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...