topic Re: Eval a string as an expression in Splunk Search

Eval a string as an expression

fk319 — Thu, 12 Mar 2015 13:50:48 GMT

I have a table that I want to extract an expression from. The expression is quoted string with some fields in it. is there a way I can eval on a string. Something like this would be in my table:
"Apache host:".host." has ".count." errors"

Re: Eval a string as an expression

dmaislin_splunk — Thu, 12 Mar 2015 14:31:17 GMT

Please post one actual event so we can help with a real search expression.

Re: Eval a string as an expression

fk319 — Thu, 12 Mar 2015 14:39:59 GMT

"Apache host:".host." has ".count." errors"

Re: Eval a string as an expression

dmaislin_splunk — Thu, 12 Mar 2015 14:46:32 GMT

Oh come on now Frank, fill in the blanks 🙂

Re: Eval a string as an expression

fk319 — Thu, 12 Mar 2015 15:13:01 GMT

that is about it, my table will have something like:

eventtype,output
Apache,"""Apache host:"".host."" has "".count."" errors"""

I will do something like
[inputcsv Alerts | fields eventtype] | lookup Alerts eventtype | eval out={output} | table out

Re: Eval a string as an expression

fk319 — Thu, 12 Mar 2015 16:13:31 GMT

My question comes down to this,

| eval str="1+2"
| eval sum=eval(str)

Re: Eval a string as an expression

lasnow — Thu, 12 Mar 2015 23:16:37 GMT

are you looking to do any operation, or would it always be sum?
| eval str="1+2"
| rex field=str "(?\d+)+(?\d+)"
| eval sum=A+B

identifying the operator would make it more complicated, but it could probably be done...

Re: Eval a string as an expression

fk319 — Fri, 13 Mar 2015 15:28:13 GMT

mostly it is a string concationation, "apache host: ".host
While host is common, often they include custom field extractions

Re: Eval a string as an expression

somesoni2 — Fri, 13 Mar 2015 16:14:46 GMT

Can you provide your full query you're/you'll use, along with how many no of rows you're going to get?

Re: Eval a string as an expression

lasnow — Fri, 13 Mar 2015 16:34:57 GMT

not sure i fully understand the question, but would you be looking to do something like this?
... | stats count by host | eval verbose="Apache host ".host." has ".count." errors" | table verbose

or if "Apache host hostname has count errors" is your input you could do
... | rex "Apache host (?[^\s]+) has (?\d+) errors" | table hostname, count

Re: Eval a string as an expression

somesoni2 — Fri, 13 Mar 2015 16:47:28 GMT

I believe you have similar requirement as this user.
http://answers.splunk.com/answers/222645/how-to-set-fielda-to-valuefieldb-inline-search-rep.html

You can try the option that I suggested in above post.

Re: Eval a string as an expression

hexx — Mon, 28 Sep 2020 19:13:43 GMT

I think this is a job for return.

Here's an example:

index=_internal
| head 1
| eval sum = [ stats count | eval string = "1+2" | return $string]
| table sum

Here return results in the in-place substitution of the whole expression [ stats count | eval string = "1+2" | return $string] with the string 1+2, which then allows eval to attribute the value 3 to the "sum" field.

While this answers the initial query of sourcing an eval expression with a string from an external source, your use-case seems a more complex as it would require iteration over a result set, using different eval expressions based on a field in the result - "eventtype", if I'm not mistaken.

I can think of two ways that you may be able to achieve this:

Use map as an iterator over your result set
Provided that there is low variance in the eval expressions that you want to apply, you might want to consider simply doing this in-line (or better yet, with an EVAL- directive in props.conf) using a case() statement. If you have to map a large number of eventtypes to a small number of eval expressions, you'll probably want to introduce a field such as "output_format_type" in your lookup table mapping various eventtypes to the output format you would like. That "output_format_type" is what your eval case() statement would operate on to decide what output format is appropriate.