- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to think about wildcard/bulk renaming in AS cl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have three cases of wildcard renaming preceding an eval command that result in errors (searches below):
- In Case 1 we observe a silent error whereby a duplicate field (of the same name!) is created with a different value, and
- in Case 2, we have an overt error in eval ("Expected )").
The solution is to employ quotes, but the rules appear different in each case (see below table). In light of this, how should we be thinking about wildcard/bulk renaming in an "as" clause preceding an eval?
The apparent rules are summarized in the following table. The first row is modeled after the relevant elements of the final eval statement in the below searches. The red options do not work as expected (either due to created a duplicate field in Text prefix case, or due to an eval error in the Numeric prefix case).
| | eval <field> = | if( isnotnull(_____), | _____,0) |
| Case 1: Text prefix | <field> | "<field>" | '<field>' | <field> | '<field>' |
| Case 2: Numeric prefix | <field> | "<field>" | '<field>' | <field> | '<field>' |
| Case 3: Suffix | <field> | "<field>" | '<field>' | <field> | '<field>' |
Reproduce Case 1 with this search (generates duplicate field with value 0):
index=_internal sourcetype=splunkd earliest=-5m@m latest=@m
| timechart span=1m c as ct, avg(linecount) as lc by sourcetype
| rename ct:* as *_ct
| stats sum(*_ct) as *_txtprefix
| eval splunkd_txtprefix = if(isnotnull(splunkd_txtprefix),splunkd_txtprefix,0)
Reproduce Case 2 and Case 3 with this search (generates eval error):
index=_internal sourcetype=splunkd earliest=-5m@m latest=@m
| timechart span=1m avg(linecount) as lc_100, max(linecount) as lc_200, sum(linecount) as 100_lc, min(linecount) as 200_lc
| stats sum(lc_*) as *_numprefix, sum(*_lc) as numsuffix_*
| eval 100_numprefix = if(isnotnull(100_numprefix),100_numprefix,0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0)
You can resolve the error by replacing the final line with
| eval 100_numprefix = if(isnotnull('100_numprefix'),'100_numprefix',0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your first example when splitting by clause in time chart you get
ct:<<SPACE>>splund
so when you
rename ct:* as *_ct the new field has a space prefix, when then 'appears' to be a duplicate (you can see the prefix if you transpose the results).
The rename can be done as
| rename "ct: *" as *_ctso you ignore the space when capturing the wildcard
In the other example, you MUST use single quote characters in eval statements when the field name does not start with an alpha character. The sample applies to field names containing spaces and other odd characters. It can be good practice to always wrap fields in eval statement with single quotes.
A technique to handle timecharts when using split by clauses is to use the foreach command to iterate through field names, for example this does essentially the same thing as the rename (actually it creates a new variable, but same output)
| foreach "ct: *" [ eval <<MATCHSTR>>_ct='<<FIELD>>' ]but note that the double quotes are still needed to handle the space character between the name (ct) and the split by value.
So, basic rule for fields
Left hand side of eval statements, use double quotes
Right hand side of eval statements use single quotes
and in all other statements where fields are use (rename|fields|stats etc) use double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in your first example when splitting by clause in time chart you get
ct:<<SPACE>>splund
so when you
rename ct:* as *_ct the new field has a space prefix, when then 'appears' to be a duplicate (you can see the prefix if you transpose the results).
The rename can be done as
| rename "ct: *" as *_ctso you ignore the space when capturing the wildcard
In the other example, you MUST use single quote characters in eval statements when the field name does not start with an alpha character. The sample applies to field names containing spaces and other odd characters. It can be good practice to always wrap fields in eval statement with single quotes.
A technique to handle timecharts when using split by clauses is to use the foreach command to iterate through field names, for example this does essentially the same thing as the rename (actually it creates a new variable, but same output)
| foreach "ct: *" [ eval <<MATCHSTR>>_ct='<<FIELD>>' ]but note that the double quotes are still needed to handle the space character between the name (ct) and the split by value.
So, basic rule for fields
Left hand side of eval statements, use double quotes
Right hand side of eval statements use single quotes
and in all other statements where fields are use (rename|fields|stats etc) use double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the first case, I think maybe the field is getting prepended with a space? So your check would be null because that field (w/o a space) doesn't exist, and so it creates a new field (w/o the space)
At least, that's what I see when I do this...
....
| stats sum(*_ct) as *_txtprefix
| transpose
| eval column = "|" . column . "|"
So maybe something like this is "valid" (I just use coalesce so i have type less)?
| eval " splunkd_txtprefix" = coalesce(' splunkd_txtprefix',0)
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
