Solved: Any idea why eval doesn't assign value

Ruslan · ‎02-03-2021

Query example:

index=eks sourcetype="kube:container" message=log
| fields data.user_agent
| rex field=data.user_agent mode=sed "s/[0-9]//g"
| rex field=data.user_agent mode=sed "s/\.//g"
| eval agent = data.user_agent
| table data.user_agent, agent

After this query `agent` column is empty. While data.user_agent is filled with data.

Was expecting to have a text copy.

Also if will add some logic, based on data.user_agent it will not work for reason as well:

index=eks-prod sourcetype="kube:container:api-auth" message=web_login
| fields data.user_agent
| rex field=data.user_agent mode=sed "s/[0-9]//g"
| rex field=data.user_agent mode=sed "s/\.//g"
| eval agent = if(like(data.user_agent, "Mozilla%"), "browser", "device")
| stats count by agent

this will produce result with always "device", never "browser"

renjith_nair · ‎02-03-2021

Try

| eval agent = 'data.user_agent'

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

bowesmana · ‎02-03-2021

@Ruslan

In eval statements, always wrap field names that contain anything other than letters with single quotes. Same applies to fields starting with numbers.

renjith_nair · ‎02-03-2021

Try

| eval agent = 'data.user_agent'

---
What goes around comes around. If it helps, hit it with Karma 🙂

Any idea why eval doesn't assign value

eval

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

Any idea why eval doesn't assign value

eval

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps