Getting Data In

How to prevent numeric values from turning into a string using the REST API?

Explorer

I'm trying to do a summation of different fields doing a CURL call using the Splunk REST API.

Here's what I have:

curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="search index=* earliest=-1s | eval num0=100 | eval total = case(1=1, num0) | stats avg(total) as avgTot | table avgTot"

This returns, as expected:
avgTot
"100.000000"

However, I cannot find a way to add more values to num0. For example, changing eval num0=100 to eval num0=100+100, it outputs no response. I'm assuming it believes it is a string and cannot add values properly. I've tried tonumber(), num() within the case() statement and evaluate it as an integer outside of the case statement to no luck.

Please advise. Thanks in advance!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Run this for an example

| makeresults | map search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"

Run that test code on splunk and it gives you 103.

Next, use the literal after search= from the above example in place of your search= on the REST API and see whether it returns (properly) 103.

If it does, then the problem is not how to do it in the interface, but that some of the code you are trying to add is not numeric for some reason.

So your code will look like this -

 curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"

In my tests, there was nothing else needed to make it work. So, if the above fails, it might be something else. I notice in your original syntax, you have double quotes in the middle of the above statement around "server name". That kind of makes me itch, because if you're doing that to cause something to happen, rather than to protect the words from modification, then it's backwards from what the quotes would do around the search string.

Also, make sure you don't have any tab characters in the search string. That one -- an invisible tab character that happened to come over from the copy source -- cost me nearly an hour of hair pulling this week.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Run this for an example

| makeresults | map search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"

Run that test code on splunk and it gives you 103.

Next, use the literal after search= from the above example in place of your search= on the REST API and see whether it returns (properly) 103.

If it does, then the problem is not how to do it in the interface, but that some of the code you are trying to add is not numeric for some reason.

So your code will look like this -

 curl -sS -u username:password -d "output_mode=csv" -o sample2.csv -k https://"server name":8089/services/search/jobs/export -d search="| makeresults count=5 | streamstats count as myrecnum | eval num0=100 | eval total = num0 + myrecnum | stats avg(total) as avgTot | table avgTot"

In my tests, there was nothing else needed to make it work. So, if the above fails, it might be something else. I notice in your original syntax, you have double quotes in the middle of the above statement around "server name". That kind of makes me itch, because if you're doing that to cause something to happen, rather than to protect the words from modification, then it's backwards from what the quotes would do around the search string.

Also, make sure you don't have any tab characters in the search string. That one -- an invisible tab character that happened to come over from the copy source -- cost me nearly an hour of hair pulling this week.

View solution in original post

0 Karma

Explorer

Thanks for putting in a detailed answer
DalJeanis, could you enlighten me on where the invisible tab was?

0 Karma

SplunkTrust
SplunkTrust

Basically, I had copied some code from one place to another, and one of the applications had put in a tab character. It might have been from constructing code in MS Excel and then copying it to splunk, something like that.

0 Karma