Splunk Search

How to think about wildcard/bulk renaming in AS clause when piping to eval?

curtismcginity
Explorer

We have three cases of wildcard renaming preceding an eval command that result in errors (searches below):

  • In Case 1 we observe a silent error whereby a duplicate field (of the same name!) is created with a different value, and
  • in Case 2, we have an overt error in eval ("Expected )").

The solution is to employ quotes, but the rules appear different in each case (see below table). In light of this, how should we be thinking about wildcard/bulk renaming in an "as" clause preceding an eval?

The apparent rules are summarized in the following table. The first row is modeled after the relevant elements of the final eval statement in the below searches. The red options do not work as expected (either due to created a duplicate field in Text prefix case, or due to an eval error in the Numeric prefix case). 

| eval <field> =if( isnotnull(_____),_____,0)
Case 1: Text prefix<field> | "<field>" | '<field>'<field> | '<field>'
Case 2: Numeric prefix<field> | "<field>" | '<field>'<field> | '<field>'
Case 3: Suffix<field> | "<field>" | '<field>'<field> | '<field>'

 

Reproduce Case 1 with this search (generates duplicate field with value 0):

 

index=_internal sourcetype=splunkd earliest=-5m@m latest=@m
| timechart span=1m c as ct, avg(linecount) as lc by sourcetype
| rename ct:* as *_ct
| stats sum(*_ct) as *_txtprefix
| eval splunkd_txtprefix = if(isnotnull(splunkd_txtprefix),splunkd_txtprefix,0)

 

Reproduce Case 2 and Case 3 with this search (generates eval error):

 

index=_internal sourcetype=splunkd earliest=-5m@m latest=@m
| timechart span=1m avg(linecount) as lc_100, max(linecount) as lc_200, sum(linecount) as 100_lc, min(linecount) as 200_lc
| stats sum(lc_*) as *_numprefix, sum(*_lc) as numsuffix_*
| eval 100_numprefix = if(isnotnull(100_numprefix),100_numprefix,0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0)

 

You can resolve the error by replacing the final line with

 

| eval 100_numprefix = if(isnotnull('100_numprefix'),'100_numprefix',0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0)

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So in your first example when splitting by clause in time chart you get

ct:<<SPACE>>splund

so when you 

rename ct:* as *_ct 

the new field has a space prefix, when then 'appears' to be a duplicate (you can see the prefix if you transpose the results).

The rename can be done as 

| rename "ct: *" as *_ct

so you ignore the space when capturing the wildcard

In the other example, you MUST use single quote characters in eval statements when the field name does not start with an alpha character.  The sample applies to field names containing spaces and other odd characters. It can be good practice to always wrap fields in eval statement with single quotes.

A technique to handle timecharts when using split by clauses is to use the foreach command to iterate through field names, for example this does essentially the same thing as the rename (actually it creates a new variable, but same output)

| foreach "ct: *" [ eval <<MATCHSTR>>_ct='<<FIELD>>' ]

but note that the double quotes are still needed to handle the space character between the name (ct) and the split by value.

So, basic rule for fields

Left hand side of eval statements, use double quotes

Right hand side of eval statements use single quotes

and in all other statements where fields are use (rename|fields|stats etc) use double quotes.

 

 

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

So in your first example when splitting by clause in time chart you get

ct:<<SPACE>>splund

so when you 

rename ct:* as *_ct 

the new field has a space prefix, when then 'appears' to be a duplicate (you can see the prefix if you transpose the results).

The rename can be done as 

| rename "ct: *" as *_ct

so you ignore the space when capturing the wildcard

In the other example, you MUST use single quote characters in eval statements when the field name does not start with an alpha character.  The sample applies to field names containing spaces and other odd characters. It can be good practice to always wrap fields in eval statement with single quotes.

A technique to handle timecharts when using split by clauses is to use the foreach command to iterate through field names, for example this does essentially the same thing as the rename (actually it creates a new variable, but same output)

| foreach "ct: *" [ eval <<MATCHSTR>>_ct='<<FIELD>>' ]

but note that the double quotes are still needed to handle the space character between the name (ct) and the split by value.

So, basic rule for fields

Left hand side of eval statements, use double quotes

Right hand side of eval statements use single quotes

and in all other statements where fields are use (rename|fields|stats etc) use double quotes.

 

 

 

maciep
Champion

For the first case, I think maybe the field is getting prepended with a space?  So your check would be null because that field (w/o a space) doesn't exist, and so it creates a new field (w/o the space)

At least, that's what I see when I do this...

 

....
| stats sum(*_ct) as *_txtprefix
| transpose
| eval column = "|" . column . "|"

 

 

So maybe something like this is "valid" (I just use coalesce so i have type less)?  

 

| eval " splunkd_txtprefix" = coalesce(' splunkd_txtprefix',0)

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...