https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71006#M17767 <P>I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:</P> <P>source data example:</P> <BLOCKQUOTE> <PRE><CODE>&lt;c:ResponseHeader&gt; &lt;c:StatusOk&gt;true&lt;/c:StatusOk&gt; &lt;c:StatusMessage/&gt; &lt;/c:ResponseHeader&gt; &lt;c:AdminContractId&gt;123456&lt;/c:AdminContractId&gt; </CODE></PRE> </BLOCKQUOTE> <P>search command I would like to use</P> <PRE><CODE>| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId) </CODE></PRE> <P>fails with error </P> <BLOCKQUOTE> <P>Error in 'eval' command: The expression is malformed. Expected ).</P> </BLOCKQUOTE> <P>even a simpler standalone example</P> <PRE><CODE>| eval myExample=an:example </CODE></PRE> <P>fails with</P> <BLOCKQUOTE> <P>Error in 'eval' command: The operator at ':example' is invalid.</P> </BLOCKQUOTE> Fri, 15 Oct 2010 07:26:49 GMT bnolen 2010-10-15T07:26:49Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71006#M17767 <P>I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:</P> <P>source data example:</P> <BLOCKQUOTE> <PRE><CODE>&lt;c:ResponseHeader&gt; &lt;c:StatusOk&gt;true&lt;/c:StatusOk&gt; &lt;c:StatusMessage/&gt; &lt;/c:ResponseHeader&gt; &lt;c:AdminContractId&gt;123456&lt;/c:AdminContractId&gt; </CODE></PRE> </BLOCKQUOTE> <P>search command I would like to use</P> <PRE><CODE>| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId) </CODE></PRE> <P>fails with error </P> <BLOCKQUOTE> <P>Error in 'eval' command: The expression is malformed. Expected ).</P> </BLOCKQUOTE> <P>even a simpler standalone example</P> <PRE><CODE>| eval myExample=an:example </CODE></PRE> <P>fails with</P> <BLOCKQUOTE> <P>Error in 'eval' command: The operator at ':example' is invalid.</P> </BLOCKQUOTE> Fri, 15 Oct 2010 07:26:49 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71006#M17767 bnolen 2010-10-15T07:26:49Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71007#M17768 <P>are you sure you get the same error for | eval example=an:example?<BR /> i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.</P> <P>It seems to me that this is just not accepted. Fix your fileds is what i would say.</P> <P>Here is an example i made up:</P> <PRE><CODE>* | head 2000 | eval x:y=linecount | eval z=x:y </CODE></PRE> <P>the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..</P> <P>as a workaround try:</P> <PRE><CODE>* | head 2000 | eval x:y=linecount | eval z="x:y" </CODE></PRE> <P>note the ""<BR /> Cheerio,<BR /> .gz</P> Fri, 15 Oct 2010 08:05:45 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71007#M17768 Genti 2010-10-15T08:05:45Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71008#M17769 <P>op updated to reflect actual error from the "cooked" example</P> Fri, 15 Oct 2010 08:12:07 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71008#M17769 bnolen 2010-10-15T08:12:07Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71009#M17770 <P>I have found a hack type workaround - perform a sed before the xmlkv:</P> <PRE><CODE>rex field=_raw mode=sed "s/\:/_/g" </CODE></PRE> Fri, 15 Oct 2010 08:50:24 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71009#M17770 bnolen 2010-10-15T08:50:24Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71010#M17771 <P>Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y</P> <P>Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.</P> Sat, 16 Oct 2010 19:11:39 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71010#M17771 bnolen 2010-10-16T19:11:39Z https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71011#M17772 <P>You should wrap the fieldname name with '$'</P> <P>For example:<BR /> | eval myExample=$an:example$</P> Tue, 27 Nov 2012 10:54:11 GMT https://community.splunk.com/t5/Splunk-Search/eval-fails-if-fields-have-a-quot-quot-in-their-name/m-p/71011#M17772 bfernandez 2012-11-27T10:54:11Z