With JSON formatted events, I can do fun things like this:
sourcetype="microBreadcrumb" | stats sum(message.totalIdle) as sumTotalIdle | table sumTotalIdle
As you can see, there is no problem accessing and using the second level within the JSON tree (message.totalIdle). Why does this change when doing a simple eval like this?
sourcetype="microBreadcrumb" | eval test=message.totalIdle | table test
No results show up. My guess is the period character "." is normally utilized for string appends within an EVAL expression. Now, I can still accomplish the goal with spath:
sourcetype="microBreadcrumb" | eval test=spath(_raw,"message.totalIdle") | table test
JSON field referencing seems inconsistent between various pipe expressions. I would rather not clutter up the search with the spath function. Don't get me wrong, the spath function is cleaner than the spath pipe expression (ie.
spath output=message_totalIdle path=message.totalIdle) but feel this is messy compared to basic k/v pair field references. Also, EVALs still allow field references at the root level but nothing deeper. Considering KV_MODE = json, I would enjoy referencing fields by the indexed "interesting fields" names on the left hand side panel.
Am I missing something simple here?
I've never used JSON-formatted data in Splunk, but does it work if you enclose the name in single quotes? E.g. eval test='message.totalIdle'
Good to hear. I'm not sure exactly how the search parser thinks, but I think the distinction between the cases is that for sum(message.totalIdle), the only way it makes sense is to treat the whole string as a single field name, whereas in the eval test=message.totalIdle it's ambiguous what the dot is supposed to do, so you need to use the single quotes to explicitly say "this is a field name; take its value."
That makes sense to me. I probably tried every bracket character besides single quotes. It's critical details like these you skim over in the documentation. Thanks again