topic Re: eval field is not working in where condition in Splunk Search

eval field is not working in where condition

shraddha09 — Fri, 04 Apr 2025 18:57:30 GMT

Re: eval field is not working in where condition

richgalloway — Fri, 04 Apr 2025 19:50:01 GMT

We need more information.

Re: eval field is not working in where condition

livehybrid — Fri, 04 Apr 2025 21:35:58 GMT

I'm not really sure I understand what you're looking for, however generally eval should be done BEFORE you run your where statement.

Please could you share the SPL which is not working as expected so we can help further?

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: eval field is not working in where condition

gcusello — Sat, 05 Apr 2025 17:08:08 GMT

Hi @shraddha09 ,

as also @livehybrid and @richgalloway said, it's really difficoult to help you without any information.

The only additional information that I can add is that you cannot use an eval condition in a where command: you must use the eval command and then in a different row the where condition.

Ciao.

Giuseppe

Re: eval field is not working in where condition

shraddha09 — Mon, 07 Apr 2025 09:00:25 GMT

Here is my SPL query,

index=wf_eit_ecio) | eval lstUlid=max('Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID') | where 'Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID' = lstUlid | chart count(Properties.Gems.DataSyncExecutionContext.DataSyncProviderName) as TotalApiCallsCount Over Properties.Gems.DataSyncExecutionContext.DataSyncProviderName

lstUlid field is generated but its not working in where condition and not filtering the records

Re: eval field is not working in where condition

gcusello — Mon, 07 Apr 2025 10:36:59 GMT

Hi @shraddha09 ,

you cannot use max in the eval command, max can be used only in stats or similar streaming commands.

try something like this:

index=wf_eit_ecio) | rename 'Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID' AS GroupULID 'Properties.Gems.DataSyncExecutionContext.DataSyncProviderName' AS ProviderName | where GroupULID = lstUlid | stats max(GroupULID) AS max BY ProviderName | chart count(max) as TotalApiCallsCount BY ProviderName

I supposed that lstUlid is a threshold.

another thing, don't bring these so long field names, rename them after the main search.

Ciao.

Giuseppe

Re: eval field is not working in where condition

ITWhisperer — Mon, 07 Apr 2025 11:11:07 GMT

Try something like this

| streamstats max('Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID') as lstUlid | where 'Properties.Gems.DataSyncsExecutionContext.dataSyncProvidersExecutionGroupULID' = lstUlid

Re: eval field is not working in where condition

shraddha09 — Mon, 07 Apr 2025 11:37:27 GMT

rename fields are not showing with | table command