There seems to be a bug searching events with JSON data if the field names are nested.
For example: sourcetype=cmdb | rename data.ip_v4_address AS ip
This search works as expected
sourcetype=cmdb | eval ip=data.ip_v4
This search does not put any value in the ip field.
If, however, I create an alias for data.ip_v4, I can use eval to access the value of the aliased field.
I complained to my Splunk SE about this over a year ago and it still hasn't been fixed as of 7.1.1.
I think the correct syntax for your second search is:
sourcetype=cmdb | eval ip='data.ip_v4'
The requirement for single quotes in this situation is stated at http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval under Syntax:
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks.
I think the correct syntax for your second search is:
sourcetype=cmdb | eval ip='data.ip_v4'
The requirement for single quotes in this situation is stated at http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval under Syntax:
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks.
Boom! Thanks, jtacy!