Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search on data model object, weird behavior

MemoreX42
Explorer
‎04-24-2014 09:53 AM

Hi guys,

i'm fairly new to Splunk and have a problem regarding searches on data models.
So what i did is, i created a data model which introduces a new field to my events by an evaluation. Now i'm trying to search on this data and create reports.
So what i'm doing in my searches looks like this:

| datamodel Probe CityProbe search | stats values(Probe.Class)

Where "Class" is a field of type number in the events of my data object. This works fine and it produces the different values that are in "Class".
Now i'm trying to execute some if statements on this "Class" field, so i do something like the following:

| datamodel Probe CityProbe search | eval n = if(Probe.Class==1, "true", "false") | stats values(n)

This fails with "Error in 'eval' command: Typechecking failed. The '==' operator received different types.". So i tried to find out of what type the "Probe.Class" field is and it turns out that it is NULL all the time. I don't get how this can be, since the first query, working on the same field, works.

By the way, when i do this on the index itself, without the data model, it works.

Can anyone please enlighten me on how this works?
Thanks in advance

Regards, Karsten

Tags (2)
Reply

anchalsingh
Explorer
‎04-06-2017 01:38 AM

Use single quote around the field to resolve error as mentioned in the comment.

... | eval n = if('Probe.Class'==1, "true", "false") | ...

I got my issue resolved using this.

Reply

tpflicke
Path Finder
‎03-24-2015 04:58 AM

I had the same message and resolved it by single-quoting the fields inside the eval statement so the following might do the trick:

... | eval n = if('Probe.Class'==1, "true", "false") | ...
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...