Splunk Search

Eval a string as an expression

Builder

I have a table that I want to extract an expression from. The expression is quoted string with some fields in it. is there a way I can eval on a string. Something like this would be in my table:
"Apache host:".host." has ".count." errors"

Tags (2)

Splunk Employee
Splunk Employee

I think this is a job for return.

Here's an example:

index=_internal
| head 1
| eval sum = [ stats count | eval string = "1+2" | return $string]
| table sum

Here return results in the in-place substitution of the whole expression [ stats count | eval string = "1+2" | return $string] with the string 1+2, which then allows eval to attribute the value 3 to the "sum" field.

While this answers the initial query of sourcing an eval expression with a string from an external source, your use-case seems a more complex as it would require iteration over a result set, using different eval expressions based on a field in the result - "eventtype", if I'm not mistaken.

I can think of two ways that you may be able to achieve this:

  • Use map as an iterator over your result set
  • Provided that there is low variance in the eval expressions that you want to apply, you might want to consider simply doing this in-line (or better yet, with an EVAL- directive in props.conf) using a case() statement. If you have to map a large number of eventtypes to a small number of eval expressions, you'll probably want to introduce a field such as "output_format_type" in your lookup table mapping various eventtypes to the output format you would like. That "output_format_type" is what your eval case() statement would operate on to decide what output format is appropriate.

Builder

My question comes down to this,

| eval str="1+2"
| eval sum=eval(str)

0 Karma

Explorer

are you looking to do any operation, or would it always be sum?
| eval str="1+2"
| rex field=str "(?\d+)+(?\d+)"
| eval sum=A+B

identifying the operator would make it more complicated, but it could probably be done...

0 Karma

Builder

mostly it is a string concationation, "apache host: ".host
While host is common, often they include custom field extractions

0 Karma

Explorer

not sure i fully understand the question, but would you be looking to do something like this?
... | stats count by host | eval verbose="Apache host ".host." has ".count." errors" | table verbose

or if "Apache host hostname has count errors" is your input you could do
... | rex "Apache host (?[^\s]+) has (?\d+) errors" | table hostname, count

0 Karma

SplunkTrust
SplunkTrust

I believe you have similar requirement as this user.
http://answers.splunk.com/answers/222645/how-to-set-fielda-to-valuefieldb-inline-search-rep.html

You can try the option that I suggested in above post.

0 Karma

SplunkTrust
SplunkTrust

Can you provide your full query you're/you'll use, along with how many no of rows you're going to get?

0 Karma

Splunk Employee
Splunk Employee

Please post one actual event so we can help with a real search expression.

0 Karma

Builder

"Apache host:".host." has ".count." errors"

0 Karma

Splunk Employee
Splunk Employee

Oh come on now Frank, fill in the blanks 🙂

0 Karma

Builder

that is about it, my table will have something like:

eventtype,output
Apache,"""Apache host:"".host."" has "".count."" errors"""

I will do something like
[inputcsv Alerts | fields eventtype] | lookup Alerts eventtype | eval out={output} | table out

0 Karma