Solved: Re: Eval on numerically named fields

jcbrendsel · ‎01-26-2011

I have several fields that are named as integers. IE, 64, 110, 240, etc.

If I try and perform a calculation using eval on the values of these fields.

eval result=round(64/360,1)

Unfortunately, Splunk is interpreting those as integers, rather than interpreting them as field names.

To get around that, I changed the field names to 64k, 110k, 240k, 240k.

eval result=round(64k/360,1)

This also resulted in an error.

Error in 'eval' command: The expression is malformed. Expected ).

So I have to resort to some unnatural naming conventions to force Splunk to interpret this as a field name. First, I rename the fields as k64, k150, k240, etc. Then I run the following eval.

eval result=round(k64/360,1)

Then I rename things back.

is there a better way to force Splunk to interpret '64' as a field name instead of as a number?

araitz · ‎01-26-2011

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

View solution in original post

Stephen_Sorkin · ‎01-28-2011

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

View solution in original post

Stephen_Sorkin · ‎01-28-2011

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

tmcmaster · ‎12-22-2021

I just ran into an issue with the accepted answer. While the $ work for a normal query. When using it in a dashboard the $123$ is evaluated as a dashboard token rather than a field. For a dashboard you must change it to single quotes.

| stats count as 123 | eval abc = round('123', 2)

jcbrendsel · ‎01-31-2011

One side effect to doing this is that wrapping in the $ characters breaks saved search. For example, the following statement:

eval 800k=round($800k$/360,1)

generates the following error:

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/360,1)'.

plynch52 · ‎04-07-2017

the wrapping in $$ is handy and seems like the start in the right direction.

my issue is similar to this one. The difference there are 1 million possible numeric field names
there are a variable number of KV pairs per message (1 to 100)
TS stuff [7123456=23,7987654=3,7198273=16]

The fields all start with the digit 7
currently i have
| stats count(*) # this counts all fields

I would like to be able to
|stats count ($7[0-9]+$)

DalJeanis · ‎04-07-2017

plynch52 - Resurrecting a 5-year-old completed question on a related issue with a new comment is not likely to get you the attention that your current issue deserves.

The best way to get participation and useful advice / help by the community, is to start a new question and link to the old one. Put as much detail about your current issue as possible, and put the links to prior similar questions and answers only enough to demonstrate that you did some research before you wrote your question.

jcbrendsel · ‎01-30-2011

Thanks Stephen. Worked perfectly.

araitz · ‎01-26-2011

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

jcbrendsel · ‎01-27-2011

But SPlunk is not interpreting '64' as a string rather a number. There is no way to explicitly declare it as a string?

Eval on numerically named fields

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout