Splunk Search

Eval usage limit?

kmattern
Builder

Is there a limit to the number of eval functions that can be used in a single search? It appears that using more than about 17 eval statements the search will not even try to run. I just get a greyed out searchbar and a prohibited mouse pointer. I have one search that has 17 evals and it runs but I can't seem to cross that limit.

Tags (3)
0 Karma

devin_stonecyph
Explorer

Try using a case statement instead of all those ifs.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are no if expressions in the posted searches.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Running this query works without a hitch for me, with about four dozen evals:

| stats count as NUM | eval EVENT_DATE = NUM | eval SYS_CODE = NUM | eval DISC_TIME = NUM | eval STATUS = NUM | eval SLOT = NUM | eval MILES = NUM | eval WHEN_DWN = NUM | eval HOW_LOC = NUM | eval DMG_CD = NUM | eval DELAY = NUM | eval CHG = NUM | eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"
| eval ED2="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN2="<td>NUM<BR />".NUM."</td>"
| eval SC2="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT2="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST2="<td>STATUS<BR />".STATUS."</td>"
| eval DP2="<td>SLOT<BR />".SLOT."</td>"
| eval EB2="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD2="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR2="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF2="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY2="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC2="<td>CHG<BR />".CHG."</td>"
| eval ED3="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN3="<td>NUM<BR />".NUM."</td>"
| eval SC3="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT3="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST3="<td>STATUS<BR />".STATUS."</td>"
| eval DP3="<td>SLOT<BR />".SLOT."</td>"
| eval EB3="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD3="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR3="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF3="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY3="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC3="<td>CHG<BR />".CHG."</td>"

kristian_kolb
Ultra Champion

edited the comment to format as <code>, which shows the HTML kmattern is trying to create - I guess ...

0 Karma

linu1988
Champion

what are those dots doing int he bracket? on first look the query is wrong with mismatching quotes

0 Karma

kmattern
Builder

My evals tend to look like this.

| eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A large nubmer of eval calls in and of themselves seem fine to me:

| stats count
| eval foo0 = 1 | eval foo1 = 1 | eval foo2 = 1 | eval foo3 = 1 | eval foo4 = 1 | eval foo5 = 1 | eval foo6 = 1 | eval foo7 = 1 | eval foo8 = 1 | eval foo9 = 1
| eval foo10 = 1 | eval foo11 = 1 | eval foo12 = 1 | eval foo13 = 1 | eval foo14 = 1 | eval foo15 = 1 | eval foo16 = 1 | eval foo17 = 1 | eval foo18 = 1 | eval foo19 = 1
| eval foo20 = 1 | eval foo21 = 1 | eval foo22 = 1 | eval foo23 = 1 | eval foo24 = 1 | eval foo25 = 1 | eval foo26 = 1 | eval foo27 = 1 | eval foo28 = 1 | eval foo29 = 1
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...