Splunk Search

Foreach fails if field contains colon or dot.

Explorer

On running this search,

  | makeresults count=20
    | streamstats count
    | eval "genie.name"="foo", "genie:id"="bar"
    | foreach genie* 
        [eval new_<<MATCHSTR>>=<<FIELD>>+"some string"]

I am expecting that two new fields named new_name and new_id would show, but that doesn't happen. Also an error comes up Failed to parse templatized search for field 'genie:id'

I am running on my local Splunk instance.

Thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

It's not foreach that's failing, it's eval interpreting the dot as the concatenation operator. Enclose field names with operators in them in single quotes:

| foreach genie* [ eval new_<<MATCHSTR>> = '<<FIELD>>' + "some string" ]

View solution in original post

SplunkTrust
SplunkTrust

It's not foreach that's failing, it's eval interpreting the dot as the concatenation operator. Enclose field names with operators in them in single quotes:

| foreach genie* [ eval new_<<MATCHSTR>> = '<<FIELD>>' + "some string" ]

View solution in original post

Explorer

Thank you so much. This worked.

0 Karma