Solved: How to use eval on JSON data

janoonan · ‎03-25-2015

I'm going to suggest this is a bug, and I believe I've a workaround. I wonder if I've missed something.

My JSON is of form attr=true or attr=false, and I want to put this into a graph. However, it's a little bit down, so it's global.container.attr

So, I have:
| strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm

Which works, and provides true or false, but I would prefer "attr" or "opposite" (for the opposite of attr).

| expr if(global.container.attr==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
would always equal 'opposite'.

What I found would work was to rename before hand..

| rename global.container.attr AS tmp | expr if(tmp==true, "attr", "opposite") | .... (and so on).

this might help someone else, and there may be a better way.

fdi01 · ‎03-25-2015

do like this:

...| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") |....

then you can use like this:

....| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr

View solution in original post

somesoni2 · ‎03-25-2015

Since, you field name contains special character, in EVAL statements, you need to enclose it within single quotes. This should work fine for you.

| expr if('global.container.attr'==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm

fdi01 · ‎03-25-2015

do like this:

...| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") |....

then you can use like this:

....| rename global.container.* AS  * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr

How to use eval on JSON data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!