Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tags in stats/eval expression?

hse8fe
Explorer
‎03-28-2018 10:57 PM

Hello Community,

I have defined some tags like:
Field=Value --> TAG
OBJECT_TYPE=*_EMS --> EMS

Now I want to use this Tags within my eval statement:

|stats 
count(eval('tag::OBJECT_TYPE'="EMS")) AS EMS

But the count result is 0.
Thanks in advance for your support!

Reply

hse8fe
Explorer
‎03-29-2018 05:36 AM

Hello both,

Unfortunately all of your provided suggestions are returning 0 (which is not true):

  count(eval(tag="WWV")) AS WWV 
  count(eval(tag='WWV')) AS WWV0 
  count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1
  count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2

Do you have any other ideas?!?

It's working with an AND combined search like 

count(eval(like(OBJECT_TYPE,"WWV%")OR like(OBJECT_TYPE,"%WWV"))) AS WWV

But it would be much more elegant for me to define the groupings globally with tags .

Thanks and regards Sebastian

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-29-2018 06:39 AM

My first solution, that uses tags, could work for you?
Bye.
Giuseppe

0 Karma
Reply

hse8fe
Explorer
‎03-29-2018 06:50 AM

I need to evaluate different tags in the result, here is my actual code without an search, the tags are defined centrally in the tag definition for the field OBJECT_TYPE.

index="eai_tsim_account_p" host="rbedilif" | stats  
count(eval(tag="WWV")) AS WWV0  
count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1 
count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2 
count(eval(like(OBJECT_TYPE,"WWV%"))) AS WWV
count(eval(like(OBJECT_TYPE,"IFT%") OR like(OBJECT_TYPE,"IFC%") OR like(OBJECT_TYPE,"XML_INVOIC%") OR like(OBJECT_TYPE,"UTILMD%") OR like(OBJECT_TYPE,"XML_EPCIS"))) AS TMS  
count(eval(like(OBJECT_TYPE,"%VMI"))) AS VMI count(eval(like(OBJECT_TYPE,"INVRPTE%")OR like(OBJECT_TYPE,"DELJIT_SUPO_EMS") OR like(OBJECT_TYPE,"APERAK"))) AS EMS 
count(eval(like(OBJECT_TYPE,"DELFOR") OR like(OBJECT_TYPE,"DESADV") OR like(OBJECT_TYPE,"vda%") OR like(OBJECT_TYPE,"X12%") OR like(OBJECT_TYPE,"ORD%") OR like(OBJECT_TYPE,"INVRPT") OR like(OBJECT_TYPE,"edl") OR like(OBJECT_TYPE,"DELJIT"))) AS Procurement   
| transpose

This search/count is working for WWV, TMS, EMS and PROCURMENT but not for the first three tag based results WWV0, WWV1, WWV2

0 Karma
Reply

cmerriman
Super Champion
‎03-29-2018 05:06 AM

so maybe mine are just set up differently than yours. but my tag comes back as tag::eventtype. if yours comes back as tag::OBJECT_TYPE, perfect, keep using that.

how i got it to work:
|stats count(eval(match('tag::eventtype',"EMS"))) as EMS
but should still work with
|stats count(eval('tag::eventtype'="EMS")) as EMS
or just
|stats count(eval(tag="EMS")) as EMS

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-29-2018 05:02 AM

Hi hse8fe,
at first you could change your search:

my_search tag="EMS"
| stats count

Otherwise you could use eval in a different way:

my_search
| stats count(eval(tag="EMS")) AS EMS

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...