Splunk Search

Error in 'eval' command: The operator at '{}.Instrument' is invalid.

TheMilkMan
New Member

Do you know why I get the following error message?

vols{}.Instrument is a valid field but it doesn't like the {}.

index=gasvol | head 1 | eval Contract=vols{}.Instrument + " " + vols{}.SequenceItem | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

Error in 'eval' command: The operator at '{}.Instrument' is invalid.

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

You go two options here

  1. Rename so that special characters are removed by the field names

    index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume

  2. Enclose the fields within single quotes for eval and where commands

    index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

View solution in original post

0 Karma

TheMilkMan
New Member

I worked it, you need to split the JSON array using spath then use mvexpand to extract the collection.

index=gasvol | head 1 | spath output=myfield path=vols{} | mvexpand myfield | spath input=myfield | eval Contract=Instrument. " " .SequenceItem | table Contract Broker Volume

0 Karma

TheMilkMan
New Member

Thanks both for your help.

This resolved the problem but when I try to join Instrument and SequenceItem the field is blank. It doesn't seem to structure the results like it does display in the table, if I do min then it gives me a value but not the correct value eval Contract2=min(Instrument)." ".min(SequenceItem).

index=gasvol | head 1 | rename vols{}.* as * | table Instrument SequenceItem Broker Volume Contract Contract2 | eval Contract=Instrument." ".SequenceItem
0 Karma

TheMilkMan
New Member

Thanks

Still doesn't work, I think it's related to the level that eval handles events. Any eval events doesn't seem to work on a row basis.

The source data is JSON and Splunk is extracing the collection.

[{"Volume": 10, "Instrument": "FTSE100", "Broker": "FTSE", "SequenceItem": "SPOT"}, {"Volume": 20, "Instrument": "FTSE250", "Broker": "LSE", "SequenceItem": "SPOT"}

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try rearranging things a little:

index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument." ".SequenceItem | eval Contract2=min(Instrument)." ".min(SequenceItem) | table Instrument SequenceItem Broker Volume Contract Contract2
---
If this reply helps you, an upvote would be appreciated.
0 Karma

somesoni2
Revered Legend

You go two options here

  1. Rename so that special characters are removed by the field names

    index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume

  2. Enclose the fields within single quotes for eval and where commands

    index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suggest you rename the data model, if you can. Using special characters other than '_' is asking for trouble.

If you can't rename the model itself, try using the rename search command to change "vols{}" to "vols".

index=gasvol | head 1 | rename "vols{}" as vols | eval Contract=vols.Instrument + " " + vols.SequenceItem | rename vols.Broker as "Broker" vols.Volume as "Volume" | table Broker Contract Volume
---
If this reply helps you, an upvote would be appreciated.
0 Karma