https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108835#M28377 <P>"jaw drop" It does! Thank you cphair, this is perfect.</P> Tue, 30 Jul 2013 19:19:20 GMT andywins 2013-07-30T19:19:20Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108833#M28375 <P>With JSON formatted events, I can do fun things like this:</P> <PRE><CODE>sourcetype="microBreadcrumb" | stats sum(message.totalIdle) as sumTotalIdle | table sumTotalIdle </CODE></PRE> <P>As you can see, there is no problem accessing and using the second level within the JSON tree (message.totalIdle). Why does this change when doing a simple eval like this?</P> <PRE><CODE>sourcetype="microBreadcrumb" | eval test=message.totalIdle | table test </CODE></PRE> <P>No results show up. My guess is the period character "." is normally utilized for string appends within an EVAL expression. Now, I can still accomplish the goal with spath:</P> <PRE><CODE>sourcetype="microBreadcrumb" | eval test=spath(_raw,"message.totalIdle") | table test </CODE></PRE> <P>JSON field referencing seems inconsistent between various pipe expressions. I would rather not clutter up the search with the spath function. Don't get me wrong, the spath function is cleaner than the spath pipe expression (ie. <CODE>spath output=message_totalIdle path=message.totalIdle</CODE>) but feel this is messy compared to basic k/v pair field references. Also, EVALs still allow field references at the root level but nothing deeper. Considering KV_MODE = json, I would enjoy referencing fields by the indexed "interesting fields" names on the left hand side panel.</P> <P>Am I missing something simple here?</P> Mon, 29 Jul 2013 20:05:21 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108833#M28375 andywins 2013-07-29T20:05:21Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108834#M28376 <P>I've never used JSON-formatted data in Splunk, but does it work if you enclose the name in single quotes? E.g. eval test='message.totalIdle'</P> Tue, 30 Jul 2013 19:16:49 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108834#M28376 cphair 2013-07-30T19:16:49Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108835#M28377 <P>"jaw drop" It does! Thank you cphair, this is perfect.</P> Tue, 30 Jul 2013 19:19:20 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108835#M28377 andywins 2013-07-30T19:19:20Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108836#M28378 <P>Good to hear. I'm not sure exactly how the search parser thinks, but I think the distinction between the cases is that for sum(message.totalIdle), the only way it makes sense is to treat the whole string as a single field name, whereas in the eval test=message.totalIdle it's ambiguous what the dot is supposed to do, so you need to use the single quotes to explicitly say "this is a field name; take its value."</P> Tue, 30 Jul 2013 19:26:23 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108836#M28378 cphair 2013-07-30T19:26:23Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108837#M28379 <P>That makes sense to me. I probably tried every bracket character besides single quotes. It's critical details like these you skim over in the documentation. Thanks again</P> Tue, 30 Jul 2013 19:30:00 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108837#M28379 andywins 2013-07-30T19:30:00Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108838#M28380 <P>Single quotes actually work. Great job!</P> Fri, 24 Jan 2014 20:43:03 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108838#M28380 fleXible 2014-01-24T20:43:03Z https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108839#M28381 <P>Tks.. its help me to</P> Mon, 11 Apr 2016 21:21:12 GMT https://community.splunk.com/t5/Splunk-Search/EVAL-JSON-Consistency/m-p/108839#M28381 patrick_muller 2016-04-11T21:21:12Z