Splunk Search

Searching for a substring when using eval?


I am trying to set up a fairly simple search:

index="sandbox" sourcetype="as-cdr" |stats count(eval(Calling_Number=*2155551220)) AS callsMade count(eval(Called_Number=*2155551220)) AS callsRecvd

However I receive an error stating:

Error in 'stats' command: The eval expression for dynamic field 'eval(Calling_Number=*2155551220)' is invalid. Error='The expression is malformed. An unexpected character is reached at '*2155551220'.'

The issue that I'm encountering is that the telephone number listed sometimes appears in the Called_Number field as 12155551220, sometimes appears as +12155551220, and other times appears as 2155551220. I have attempted to perform the search using wildcards like *in front of the shortest version however it seems to only occasionally work. Is it possible to evaluate for a substring with eval?

Splunk Employee
Splunk Employee

You have two problems with your use of eval:

  • You can't use wildcard patterns with the = operator in eval. You would have to use either the like() or searchmatch() eval functions, the LIKE operator, or use the replace() eval function and apply the = (or ==) operator to that.
  • You need to quote strings in eval. If you don't, eval tries to perform a numeric comparison (in which 0123 is equal to 123, and *123 is not a valid number).


count(eval(replace(Calling_Number,"^(?:+1|1)?(.*)","\1") == "2155551220"))

is probably the best choice.

0 Karma

Splunk Employee
Splunk Employee

You could, if this is common, define a macro in macros.conf to normalize the phone number, and call that in your expressions everywhere

0 Karma


One potential easier solution might be to normalize the data after the fact. Something like this might work:

index="sandbox" sourcetype="as-cdr" |
rex mode=sed field=Calling_Number "s/(+1|1)(\d{10})/\2/" |
rex mode=sed field=Called_Number "s/(+1|1)(\d{10})/\2/" |
where Calling_Number=2155551220 OR Called_Number=2155551220 |
stats count(eval(Calling_Number=2155551220)) AS callsMade 
      count(eval(Called_Number=2155551220)) AS callsRecvd

That should filter off a "1" or "+1" at the beginning, if it's followed by a full 10 digits. I'm not 100% sure on the syntax, as splunk's sed differs a little from unix sed in terms of what needs a \ and what doesn't. But, it "should" work.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!