Hi.
I wonder whether someone may be able to help me please.
I'm using the query below:
| multisearch
[ search `gateway_wmf(APIClientRequest)` path=*test*]
[ search `wso2_wmf(APIRequestCompleted)` "request.detail.Context"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| rename request.detail.applicationProductionClientId as ClientID
| lookup consumercalls.csv ClientID OUTPUT Developer
| eval header=""
| foreach clientHeaders.test* [eval header=header+test<<MATCHSTR>>]
| bucket span=10s _time
| chart values(ClientID) as ClientID sum(clientHeaders.test*) as clientHeaders.test* by RequestID
| fields - RequestID
The query works except that on random days when I receive this error:
Failed to parse templatized search for field 'clientHeaders.test-client-device-id{}'
From comparing these dates I've discovered that it's because the fieldname has the {}.
Could someone tell me please is there a way to get around this?
Many thanks and kind regards
Chris
I saw a similar message below
[splunk-idx1] Failed to parse templatized search for field 'tag::eventtype'
This error was caused by following forearch command.
| foreach *
[ eval <<FIELD>> = if(isnull(<<FIELD>>),"",<<FIELD>>)]
I think the <> template cannot handle fields contains special characters. I worked around this by adding | fields - tag::eventtype
just before the foreach.
You can probably work around by adding | fields - 'clientHeaders.test-client-device-id{}'
is that a JSON format data?
look into the | spath
command
Hi @adonio. Thank you for coming back to me with this.
Yes the data is in a JSON style format, but this is a fieldname and not data which I have an issue with.
Many thanks and kind regards
Chris