Splunk Search

Eval on numerically named fields

jcbrendsel
Path Finder

I have several fields that are named as integers. IE, 64, 110, 240, etc.

If I try and perform a calculation using eval on the values of these fields.

eval result=round(64/360,1)

Unfortunately, Splunk is interpreting those as integers, rather than interpreting them as field names.

To get around that, I changed the field names to 64k, 110k, 240k, 240k.

eval result=round(64k/360,1)

This also resulted in an error.

Error in 'eval' command: The expression is malformed. Expected ).

So I have to resort to some unnatural naming conventions to force Splunk to interpret this as a field name. First, I rename the fields as k64, k150, k240, etc. Then I run the following eval.

eval result=round(k64/360,1)

Then I rename things back.

is there a better way to force Splunk to interpret '64' as a field name instead of as a number?

Tags (2)
2 Solutions

araitz
Splunk Employee
Splunk Employee

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

tmcmaster
Explorer

I just ran into an issue with the accepted answer. While the $ work for a normal query. When using it in a dashboard the $123$ is evaluated as a dashboard token rather than a field. For a dashboard you must change it to single quotes.

 

| stats count as 123 | eval abc = round('123', 2)

0 Karma

jcbrendsel
Path Finder

One side effect to doing this is that wrapping in the $ characters breaks saved search. For example, the following statement:

eval 800k=round($800k$/360,1)

generates the following error:

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/360,1)'.
0 Karma

plynch52
Explorer

the wrapping in $$ is handy and seems like the start in the right direction.

my issue is similar to this one. The difference there are 1 million possible numeric field names
there are a variable number of KV pairs per message (1 to 100)
TS stuff [7123456=23,7987654=3,7198273=16]

The fields all start with the digit 7
currently i have
| stats count(*) # this counts all fields

I would like to be able to
|stats count ($7[0-9]+$)

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

plynch52 - Resurrecting a 5-year-old completed question on a related issue with a new comment is not likely to get you the attention that your current issue deserves.

The best way to get participation and useful advice / help by the community, is to start a new question and link to the old one. Put as much detail about your current issue as possible, and put the links to prior similar questions and answers only enough to demonstrate that you did some research before you wrote your question.

0 Karma

jcbrendsel
Path Finder

Thanks Stephen. Worked perfectly.

0 Karma

araitz
Splunk Employee
Splunk Employee

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

jcbrendsel
Path Finder

But SPlunk is not interpreting '64' as a string rather a number. There is no way to explicitly declare it as a string?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...