Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use eval on JSON data

janoonan
Explorer
‎03-25-2015 08:26 AM

I'm going to suggest this is a bug, and I believe I've a workaround. I wonder if I've missed something.

My JSON is of form attr=true or attr=false, and I want to put this into a graph. However, it's a little bit down, so it's global.container.attr

So, I have:
| strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm

Which works, and provides true or false, but I would prefer "attr" or "opposite" (for the opposite of attr).

| expr if(global.container.attr==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
would always equal 'opposite'.

What I found would work was to rename before hand..

| rename global.container.attr AS tmp | expr if(tmp==true, "attr", "opposite") | .... (and so on).

this might help someone else, and there may be a better way.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎03-25-2015 10:10 AM

do like this:

...| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") |....

then you can use like this:

....| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-25-2015 10:17 AM

Since, you field name contains special character, in EVAL statements, you need to enclose it within single quotes. This should work fine for you.

| expr if('global.container.attr'==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
0 Karma
Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎03-25-2015 10:10 AM

do like this:

...| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") |....

then you can use like this:

....| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...