Can't use eval function on fields extracted from j...

myobmatt · ‎03-13-2018

I have extracted fields from a json log using spath, I want to add double quotes to the tabled results using ... | eval myval="\"".myval."\"" but no eval function seems to work on the fields extracted in this way. What am I doing wrong??

niketn · ‎03-13-2018

@myobmatt can you add some JSON data sample along with the field name that spath extracts?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

myobmatt · ‎03-13-2018

Any field that I have extracted from the json log using spath, when I try to apply ANY eval function, comes up blank when I try to table it

tiagofbmm · ‎03-13-2018

Hi

You jus need one set of \" in the beginning and one in the end, like this

| eval myval="\""+myval+"\""

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

493669 · ‎03-13-2018

Hi
have you tried this:

|eval myval="\"".myval."\""

Can't use eval function on fields extracted from json log using spath

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation