Eval a string as an expression

fk319 · ‎03-12-2015

I have a table that I want to extract an expression from. The expression is quoted string with some fields in it. is there a way I can eval on a string. Something like this would be in my table:
"Apache host:".host." has ".count." errors"

hexx · ‎03-14-2015

I think this is a job for return.

Here's an example:

index=_internal
| head 1
| eval sum = [ stats count | eval string = "1+2" | return $string]
| table sum

Here return results in the in-place substitution of the whole expression [ stats count | eval string = "1+2" | return $string] with the string 1+2, which then allows eval to attribute the value 3 to the "sum" field.

While this answers the initial query of sourcing an eval expression with a string from an external source, your use-case seems a more complex as it would require iteration over a result set, using different eval expressions based on a field in the result - "eventtype", if I'm not mistaken.

I can think of two ways that you may be able to achieve this:

Use map as an iterator over your result set
Provided that there is low variance in the eval expressions that you want to apply, you might want to consider simply doing this in-line (or better yet, with an EVAL- directive in props.conf) using a case() statement. If you have to map a large number of eventtypes to a small number of eval expressions, you'll probably want to introduce a field such as "output_format_type" in your lookup table mapping various eventtypes to the output format you would like. That "output_format_type" is what your eval case() statement would operate on to decide what output format is appropriate.

fk319 · ‎03-12-2015

My question comes down to this,

| eval str="1+2"
| eval sum=eval(str)

lasnow · ‎03-12-2015

are you looking to do any operation, or would it always be sum?
| eval str="1+2"
| rex field=str "(?\d+)+(?\d+)"
| eval sum=A+B

identifying the operator would make it more complicated, but it could probably be done...

fk319 · ‎03-13-2015

mostly it is a string concationation, "apache host: ".host
While host is common, often they include custom field extractions

lasnow · ‎03-13-2015

not sure i fully understand the question, but would you be looking to do something like this?
... | stats count by host | eval verbose="Apache host ".host." has ".count." errors" | table verbose

or if "Apache host hostname has count errors" is your input you could do
... | rex "Apache host (?[^\s]+) has (?\d+) errors" | table hostname, count

somesoni2 · ‎03-13-2015

I believe you have similar requirement as this user.
http://answers.splunk.com/answers/222645/how-to-set-fielda-to-valuefieldb-inline-search-rep.html

You can try the option that I suggested in above post.

somesoni2 · ‎03-13-2015

Can you provide your full query you're/you'll use, along with how many no of rows you're going to get?

dmaislin_splunk · ‎03-12-2015

Please post one actual event so we can help with a real search expression.

fk319 · ‎03-12-2015

"Apache host:".host." has ".count." errors"

dmaislin_splunk · ‎03-12-2015

Oh come on now Frank, fill in the blanks 🙂

fk319 · ‎03-12-2015

that is about it, my table will have something like:

eventtype,output
Apache,"""Apache host:"".host."" has "".count."" errors"""

I will do something like
[inputcsv Alerts | fields eventtype] | lookup Alerts eventtype | eval out={output} | table out

Eval a string as an expression

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...