Splunk Search

How to use tags in stats/eval expression?

hse8fe
Explorer

Hello Community,

I have defined some tags like:
Field=Value --> TAG
OBJECT_TYPE=*_EMS --> EMS

Now I want to use this Tags within my eval statement:

|stats 
count(eval('tag::OBJECT_TYPE'="EMS")) AS EMS 

But the count result is 0.
Thanks in advance for your support!

hse8fe
Explorer

Hello both,

Unfortunately all of your provided suggestions are returning 0 (which is not true):

  count(eval(tag="WWV")) AS WWV 
  count(eval(tag='WWV')) AS WWV0 
  count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1
  count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2

Do you have any other ideas?!?

It's working with an AND combined search like

count(eval(like(OBJECT_TYPE,"WWV%")OR like(OBJECT_TYPE,"%WWV"))) AS WWV

But it would be much more elegant for me to define the groupings globally with tags .

Thanks and regards Sebastian

0 Karma

gcusello
SplunkTrust
SplunkTrust

My first solution, that uses tags, could work for you?
Bye.
Giuseppe

0 Karma

hse8fe
Explorer

I need to evaluate different tags in the result, here is my actual code without an search, the tags are defined centrally in the tag definition for the field OBJECT_TYPE.

index="eai_tsim_account_p" host="rbedilif" | stats  
count(eval(tag="WWV")) AS WWV0  
count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1 
count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2 
count(eval(like(OBJECT_TYPE,"WWV%"))) AS WWV
count(eval(like(OBJECT_TYPE,"IFT%") OR like(OBJECT_TYPE,"IFC%") OR like(OBJECT_TYPE,"XML_INVOIC%") OR like(OBJECT_TYPE,"UTILMD%") OR like(OBJECT_TYPE,"XML_EPCIS"))) AS TMS  
count(eval(like(OBJECT_TYPE,"%VMI"))) AS VMI count(eval(like(OBJECT_TYPE,"INVRPTE%")OR like(OBJECT_TYPE,"DELJIT_SUPO_EMS") OR like(OBJECT_TYPE,"APERAK"))) AS EMS 
count(eval(like(OBJECT_TYPE,"DELFOR") OR like(OBJECT_TYPE,"DESADV") OR like(OBJECT_TYPE,"vda%") OR like(OBJECT_TYPE,"X12%") OR like(OBJECT_TYPE,"ORD%") OR like(OBJECT_TYPE,"INVRPT") OR like(OBJECT_TYPE,"edl") OR like(OBJECT_TYPE,"DELJIT"))) AS Procurement   
| transpose

This search/count is working for WWV, TMS, EMS and PROCURMENT but not for the first three tag based results WWV0, WWV1, WWV2

0 Karma

cmerriman
Super Champion

so maybe mine are just set up differently than yours. but my tag comes back as tag::eventtype. if yours comes back as tag::OBJECT_TYPE, perfect, keep using that.

how i got it to work:
|stats count(eval(match('tag::eventtype',"EMS"))) as EMS
but should still work with
|stats count(eval('tag::eventtype'="EMS")) as EMS
or just
|stats count(eval(tag="EMS")) as EMS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi hse8fe,
at first you could change your search:

my_search tag="EMS"
| stats count

Otherwise you could use eval in a different way:

my_search
| stats count(eval(tag="EMS")) AS EMS 

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...