Splunk Search

Eval on numerically named fields

Path Finder

I have several fields that are named as integers. IE, 64, 110, 240, etc.

If I try and perform a calculation using eval on the values of these fields.

eval result=round(64/360,1)

Unfortunately, Splunk is interpreting those as integers, rather than interpreting them as field names.

To get around that, I changed the field names to 64k, 110k, 240k, 240k.

eval result=round(64k/360,1)

This also resulted in an error.

Error in 'eval' command: The expression is malformed. Expected ).

So I have to resort to some unnatural naming conventions to force Splunk to interpret this as a field name. First, I rename the fields as k64, k150, k240, etc. Then I run the following eval.

eval result=round(k64/360,1)

Then I rename things back.

is there a better way to force Splunk to interpret '64' as a field name instead of as a number?

Tags (2)
2 Solutions

Splunk Employee
Splunk Employee

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

View solution in original post

Splunk Employee
Splunk Employee

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

View solution in original post

Splunk Employee
Splunk Employee

You can tell eval that the string is a field name rather than a string literal by wrapping the string with '$'. For example:

| stats count as 123 | eval abc = $123$

View solution in original post

Path Finder

One side effect to doing this is that wrapping in the $ characters breaks saved search. For example, the following statement:

eval 800k=round($800k$/360,1)

generates the following error:

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/360,1)'.
0 Karma

Explorer

the wrapping in $$ is handy and seems like the start in the right direction.

my issue is similar to this one. The difference there are 1 million possible numeric field names
there are a variable number of KV pairs per message (1 to 100)
TS stuff [7123456=23,7987654=3,7198273=16]

The fields all start with the digit 7
currently i have
| stats count(*) # this counts all fields

I would like to be able to
|stats count ($7[0-9]+$)

0 Karma

SplunkTrust
SplunkTrust

plynch52 - Resurrecting a 5-year-old completed question on a related issue with a new comment is not likely to get you the attention that your current issue deserves.

The best way to get participation and useful advice / help by the community, is to start a new question and link to the old one. Put as much detail about your current issue as possible, and put the links to prior similar questions and answers only enough to demonstrate that you did some research before you wrote your question.

0 Karma

Path Finder

Thanks Stephen. Worked perfectly.

0 Karma

Splunk Employee
Splunk Employee

Nope, Splunk has no way of knowing if the values you present are field names or string literals, so it assumes string literal.

View solution in original post

Path Finder

But SPlunk is not interpreting '64' as a string rather a number. There is no way to explicitly declare it as a string?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!