Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use eval on JSON data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm going to suggest this is a bug, and I believe I've a workaround. I wonder if I've missed something.
My JSON is of form attr=true or attr=false, and I want to put this into a graph. However, it's a little bit down, so it's global.container.attr
So, I have:
| strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
Which works, and provides true or false, but I would prefer "attr" or "opposite" (for the opposite of attr).
| expr if(global.container.attr==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
would always equal 'opposite'.
What I found would work was to rename before hand..
| rename global.container.attr AS tmp | expr if(tmp==true, "attr", "opposite") | .... (and so on).
this might help someone else, and there may be a better way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do like this:
...| rename global.container.* AS * | eval attr= if(attr==true, "attr", "opposite") |....
then you can use like this:
....| rename global.container.* AS * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since, you field name contains special character, in EVAL statements, you need to enclose it within single quotes. This should work fine for you.
| expr if('global.container.attr'==true, "attr", "opposite") | strcat otherterm " " global.container.attr combinedterm | ... | stats count by combinedterm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do like this:
...| rename global.container.* AS * | eval attr= if(attr==true, "attr", "opposite") |....
then you can use like this:
....| rename global.container.* AS * | eval attr= if(attr==true, "attr", "opposite") | stats count by attr
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
New Year. New Skills. New Course Releases from Splunk Education
