https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443246#M125765 <P>Renaming the variable allowed it to work.</P> <PRE><CODE>message.meta.service=foo | rename message.meta.route as route | stats count(eval(route="/foobar/publish")) as publishes </CODE></PRE> Wed, 26 Jun 2019 21:04:31 GMT gkolstad 2019-06-26T21:04:31Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443245#M125764 <P>The following query is not working for me:</P> <PRE><CODE>message.meta.service=foo | stats count(eval(message.meta.route="/foobar/publish")) as publishes </CODE></PRE> <P>It always results in <CODE>publishes</CODE> being <CODE>0</CODE>, when it should be greater than 0 (e.g., 55).</P> <P>Doing a query of just: <BR /> <CODE>message.meta.route="/foobar/publish"</CODE> <BR /> returns multiple events (e.g., 55), but wh</P> Wed, 26 Jun 2019 20:18:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443245#M125764 rbednark 2019-06-26T20:18:18Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443246#M125765 <P>Renaming the variable allowed it to work.</P> <PRE><CODE>message.meta.service=foo | rename message.meta.route as route | stats count(eval(route="/foobar/publish")) as publishes </CODE></PRE> Wed, 26 Jun 2019 21:04:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443246#M125765 gkolstad 2019-06-26T21:04:31Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443247#M125766 <P>Try this (fields with special characters in its name should be enclosed in single quotes when used in expressions of eval/where)</P> <PRE><CODE> message.meta.service=foo | stats count(eval('message.meta.route'="/foobar/publish")) as publishes </CODE></PRE> Wed, 26 Jun 2019 21:04:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443247#M125766 somesoni2 2019-06-26T21:04:59Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443248#M125767 <P>Working with <CODE>rbednark</CODE> we discovered that renaming the variable allowed the eval and count to work as expected.<BR /> Can't use <CODE>.</CODE> in an eval comparison I guess?</P> <PRE><CODE>message.meta.service=foo | rename message.meta.route as route | stats count(eval(route="/foobar/publish")) as publishes </CODE></PRE> Wed, 26 Jun 2019 21:06:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443248#M125767 gkolstad 2019-06-26T21:06:29Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443249#M125768 <P>Try this:</P> <PRE><CODE> index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND message.meta.service=foo | stats count(eval('message.meta.route'="/foobar/publish")) AS publishes </CODE></PRE> <P>You must encapsulate the field name in single-quotes because it contains periods.</P> Sat, 29 Jun 2019 19:30:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-this-query-working-for-me-using-stats-eval-count/m-p/443249#M125768 woodcock 2019-06-29T19:30:36Z