topic eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot? in Splunk Search

eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot?

leonjxtan — Thu, 29 Jun 2017 09:11:35 GMT

because problem reported in link text

In my transaction data set DataModel1.RootTransaction1, now there is a "RootTransaction1.Extracted1" field.

I tried to run below query with "where" command (my use case does not allow me to use search command), and all do not work.

| from datamodel:DataModel1.RootTransaction1 |where RootTransaction1.Extracted1 = "abc"
| from datamodel:DataModel1.RootTransaction1 |where "RootTransaction1.Extracted1" = "abc"
| from datamodel:DataModel1.RootTransaction1 |where RootTransaction1\.Extracted1 = "abc"
| from datamodel:DataModel1.RootTransaction1 |where "RootTransaction1\.Extracted1" = "abc"

The only way working is to rename the field.

| from datamodel:DataModel1.RootTransaction1 |rename RootTransaction1.Extracted1 as Extracted1 |where Extracted1 = "abc"

but this is sub-optimal solution. How can I do eval and where with fields with dot in the middle?

Re: eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot?

niketn — Thu, 29 Jun 2017 09:28:57 GMT

Put field name in single quotes to escape special character:

     | where 'RootTransaction1.Extracted1'="abc"

Re: eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot?

leonjxtan — Thu, 29 Jun 2017 09:28:59 GMT

sorry to add more background on why my use case cannot use search.

This is b/c I want to create an eval field from above Extracted1 field in data model UI, where I cannot rename the transaction field before I do eval...

The code I put in the eval field setting is like below:
case(RootTransaction1.Extracted1="abc", "xyz",
true(),""123")

Re: eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot?

javiergn — Thu, 29 Jun 2017 09:31:40 GMT

Hi,

I might be missing something but if I'm not mistaken when you run FROM you can simply reference the fields by using their short name and not the full name as you would have to do when using tstats for instance.

In your example, the following should just work fine:

| from datamodel:DataModel1.RootTransaction1  
|where Extracted1 = "abc"

And that might be the reason it's working fine when you use rename.
PS: when using field names from within an eval you have to use single quotes instead of double quotes if they contain special characters.