Splunk Search

Eval a string as an expression

Builder

I have a table that I want to extract an expression from. The expression is quoted string with some fields in it. is there a way I can eval on a string. Something like this would be in my table:
"Apache host:".host." has ".count." errors"

Tags (2)

Splunk Employee
Splunk Employee

I think this is a job for return.

Here's an example:

index=_internal
| head 1
| eval sum = [ stats count | eval string = "1+2" | return $string]
| table sum

Here return results in the in-place substitution of the whole expression [ stats count | eval string = "1+2" | return $string] with the string 1+2, which then allows eval to attribute the value 3 to the "sum" field.

While this answers the initial query of sourcing an eval expression with a string from an external source, your use-case seems a more complex as it would require iteration over a result set, using different eval expressions based on a field in the result - "eventtype", if I'm not mistaken.

I can think of two ways that you may be able to achieve this:

  • Use map as an iterator over your result set
  • Provided that there is low variance in the eval expressions that you want to apply, you might want to consider simply doing this in-line (or better yet, with an EVAL- directive in props.conf) using a case() statement. If you have to map a large number of eventtypes to a small number of eval expressions, you'll probably want to introduce a field such as "output_format_type" in your lookup table mapping various eventtypes to the output format you would like. That "output_format_type" is what your eval case() statement would operate on to decide what output format is appropriate.

Builder

My question comes down to this,

| eval str="1+2"
| eval sum=eval(str)

0 Karma

Explorer

are you looking to do any operation, or would it always be sum?
| eval str="1+2"
| rex field=str "(?\d+)+(?\d+)"
| eval sum=A+B

identifying the operator would make it more complicated, but it could probably be done...

0 Karma

Builder

mostly it is a string concationation, "apache host: ".host
While host is common, often they include custom field extractions

0 Karma

Explorer

not sure i fully understand the question, but would you be looking to do something like this?
... | stats count by host | eval verbose="Apache host ".host." has ".count." errors" | table verbose

or if "Apache host hostname has count errors" is your input you could do
... | rex "Apache host (?[^\s]+) has (?\d+) errors" | table hostname, count

0 Karma

Revered Legend

I believe you have similar requirement as this user.
http://answers.splunk.com/answers/222645/how-to-set-fielda-to-valuefieldb-inline-search-rep.html

You can try the option that I suggested in above post.

0 Karma

Revered Legend

Can you provide your full query you're/you'll use, along with how many no of rows you're going to get?

0 Karma

Splunk Employee
Splunk Employee

Please post one actual event so we can help with a real search expression.

0 Karma

Builder

"Apache host:".host." has ".count." errors"

0 Karma

Splunk Employee
Splunk Employee

Oh come on now Frank, fill in the blanks 🙂

0 Karma

Builder

that is about it, my table will have something like:

eventtype,output
Apache,"""Apache host:"".host."" has "".count."" errors"""

I will do something like
[inputcsv Alerts | fields eventtype] | lookup Alerts eventtype | eval out={output} | table out

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!