Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to prevent numeric values from turning int...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to do a summation of different fields doing a CURL call using the Splunk REST API.
Here's what I have:
curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="search index=* earliest=-1s | eval num0=100 | eval total = case(1=1, num0) | stats avg(total) as avgTot | table avgTot"
This returns, as expected:
avgTot
"100.000000"
However, I cannot find a way to add more values to num0. For example, changing eval num0=100 to eval num0=100+100, it outputs no response. I'm assuming it believes it is a string and cannot add values properly. I've tried tonumber(), num() within the case() statement and evaluate it as an integer outside of the case statement to no luck.
Please advise. Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this for an example
| makeresults | map search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"
Run that test code on splunk and it gives you 103.
Next, use the literal after search= from the above example in place of your search= on the REST API and see whether it returns (properly) 103.
If it does, then the problem is not how to do it in the interface, but that some of the code you are trying to add is not numeric for some reason.
So your code will look like this -
curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"
In my tests, there was nothing else needed to make it work. So, if the above fails, it might be something else. I notice in your original syntax, you have double quotes in the middle of the above statement around "server name". That kind of makes me itch, because if you're doing that to cause something to happen, rather than to protect the words from modification, then it's backwards from what the quotes would do around the search string.
Also, make sure you don't have any tab characters in the search string. That one -- an invisible tab character that happened to come over from the copy source -- cost me nearly an hour of hair pulling this week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this for an example
| makeresults | map search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"
Run that test code on splunk and it gives you 103.
Next, use the literal after search= from the above example in place of your search= on the REST API and see whether it returns (properly) 103.
If it does, then the problem is not how to do it in the interface, but that some of the code you are trying to add is not numeric for some reason.
So your code will look like this -
curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"
In my tests, there was nothing else needed to make it work. So, if the above fails, it might be something else. I notice in your original syntax, you have double quotes in the middle of the above statement around "server name". That kind of makes me itch, because if you're doing that to cause something to happen, rather than to protect the words from modification, then it's backwards from what the quotes would do around the search string.
Also, make sure you don't have any tab characters in the search string. That one -- an invisible tab character that happened to come over from the copy source -- cost me nearly an hour of hair pulling this week.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for putting in a detailed answer
DalJeanis, could you enlighten me on where the invisible tab was?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, I had copied some code from one place to another, and one of the applications had put in a tab character. It might have been from constructing code in MS Excel and then copying it to splunk, something like that.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
