Splunk Search

Eval usage limit?

kmattern
Builder

Is there a limit to the number of eval functions that can be used in a single search? It appears that using more than about 17 eval statements the search will not even try to run. I just get a greyed out searchbar and a prohibited mouse pointer. I have one search that has 17 evals and it runs but I can't seem to cross that limit.

Tags (3)
0 Karma

devin_stonecyph
Explorer

Try using a case statement instead of all those ifs.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are no if expressions in the posted searches.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Running this query works without a hitch for me, with about four dozen evals:

| stats count as NUM | eval EVENT_DATE = NUM | eval SYS_CODE = NUM | eval DISC_TIME = NUM | eval STATUS = NUM | eval SLOT = NUM | eval MILES = NUM | eval WHEN_DWN = NUM | eval HOW_LOC = NUM | eval DMG_CD = NUM | eval DELAY = NUM | eval CHG = NUM | eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"
| eval ED2="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN2="<td>NUM<BR />".NUM."</td>"
| eval SC2="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT2="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST2="<td>STATUS<BR />".STATUS."</td>"
| eval DP2="<td>SLOT<BR />".SLOT."</td>"
| eval EB2="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD2="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR2="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF2="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY2="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC2="<td>CHG<BR />".CHG."</td>"
| eval ED3="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN3="<td>NUM<BR />".NUM."</td>"
| eval SC3="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT3="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST3="<td>STATUS<BR />".STATUS."</td>"
| eval DP3="<td>SLOT<BR />".SLOT."</td>"
| eval EB3="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD3="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR3="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF3="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY3="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC3="<td>CHG<BR />".CHG."</td>"

kristian_kolb
Ultra Champion

edited the comment to format as <code>, which shows the HTML kmattern is trying to create - I guess ...

0 Karma

linu1988
Champion

what are those dots doing int he bracket? on first look the query is wrong with mismatching quotes

0 Karma

kmattern
Builder

My evals tend to look like this.

| eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A large nubmer of eval calls in and of themselves seem fine to me:

| stats count
| eval foo0 = 1 | eval foo1 = 1 | eval foo2 = 1 | eval foo3 = 1 | eval foo4 = 1 | eval foo5 = 1 | eval foo6 = 1 | eval foo7 = 1 | eval foo8 = 1 | eval foo9 = 1
| eval foo10 = 1 | eval foo11 = 1 | eval foo12 = 1 | eval foo13 = 1 | eval foo14 = 1 | eval foo15 = 1 | eval foo16 = 1 | eval foo17 = 1 | eval foo18 = 1 | eval foo19 = 1
| eval foo20 = 1 | eval foo21 = 1 | eval foo22 = 1 | eval foo23 = 1 | eval foo24 = 1 | eval foo25 = 1 | eval foo26 = 1 | eval foo27 = 1 | eval foo28 = 1 | eval foo29 = 1
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...