Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eval function on a column that has spaces

ttanasovski
Explorer
‎07-27-2012 06:40 AM

Table blah, “has a space” |eval tonumber(“has a space”)/2

Do you know a way to do the above that works? In the above, it treats “has a space” as a string rather than the data in the column. My workaround is:

table blah, "has a space"|rename “has a space” as blah2|eval tonumber(blah2)/2|rename blah2 “has a space”

There has to be an easier way.

Tags (3)
Reply

jda258
Engager
‎12-23-2014 12:13 PM

I found the answer here: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Eval

You have to use single quotes instead of double quotes when referencing fields inside of eval functions:

Table blah, “has a space” |eval tonumber('has a space')/2

Reply

jda258
Engager
‎12-23-2014 12:15 PM

Also tricky is when assigning a result to a field as you need double quotes:

eval "field with spaces"=round('field with spaces')

Reply

Kate_Lawrence-G
Contributor
‎07-27-2012 01:30 PM

I would add a field extraction to pull out just the number from either the field or _raw data. If you pull out just a number into a field then Splunk will treat it as a number and you can perform functions on it.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-01-2013 05:11 PM

I have found a place where I need this, where the eval statement is happening in something automated. I tried the {} trick and it didn't work sadly. Namely --- given a field foo whose value is "fooValue", | eval {foo}=12 will create a field called fooValue whose value is 12. Not super widely known, but quite useful.

At any rate, from this you might hope that {"my field name has spaces"} would work in eval as a syntax to get around the problem, but sadly it doesn't. There's no error which is odd, but it doesn't end up referencing the field name with the spaces.

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-30-2012 05:43 AM

Just do field extractions without spaces in the field names.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎07-30-2012 05:39 AM

My experience has been that you'll need the rename.

0 Karma
Reply

ttanasovski
Explorer
‎07-29-2012 01:51 PM

So looking at my actual problem, it still stands. The tonumber is a bit of a red herring. I didn't actually need to use tonumber. The problem is that I want to use anything in eval with spaces. This is an extract, but the column name has a space in it.

table blah, "has a space"|rename “has a space” as blah2|eval blah2/2|rename blah2 “has a space”

If I try to do the following, I get an error:
table blah, "has a space" |eval "has a space"/2

How can I do the above without the rename?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...