Solved: Any idea why eval doesn't assign value

Ruslan · ‎02-03-2021

Query example:

index=eks sourcetype="kube:container" message=log
| fields data.user_agent
| rex field=data.user_agent mode=sed "s/[0-9]//g"
| rex field=data.user_agent mode=sed "s/\.//g"
| eval agent = data.user_agent
| table data.user_agent, agent

After this query `agent` column is empty. While data.user_agent is filled with data.

Was expecting to have a text copy.

Also if will add some logic, based on data.user_agent it will not work for reason as well:

index=eks-prod sourcetype="kube:container:api-auth" message=web_login
| fields data.user_agent
| rex field=data.user_agent mode=sed "s/[0-9]//g"
| rex field=data.user_agent mode=sed "s/\.//g"
| eval agent = if(like(data.user_agent, "Mozilla%"), "browser", "device")
| stats count by agent

this will produce result with always "device", never "browser"

renjith_nair · ‎02-03-2021

Try

| eval agent = 'data.user_agent'

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

bowesmana · ‎02-03-2021

@Ruslan

In eval statements, always wrap field names that contain anything other than letters with single quotes. Same applies to fields starting with numbers.

renjith_nair · ‎02-03-2021

Try

| eval agent = 'data.user_agent'

---
What goes around comes around. If it helps, hit it with Karma 🙂

Any idea why eval doesn't assign value

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation