Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Searching for a substring when using eval?

msarro
Builder
‎12-21-2010 03:15 AM

I am trying to set up a fairly simple search:

index="sandbox" sourcetype="as-cdr" |stats count(eval(Calling_Number=*2155551220)) AS callsMade count(eval(Called_Number=*2155551220)) AS callsRecvd

However I receive an error stating:

Error in 'stats' command: The eval expression for dynamic field 'eval(Calling_Number=*2155551220)' is invalid. Error='The expression is malformed. An unexpected character is reached at '*2155551220'.'

The issue that I'm encountering is that the telephone number listed sometimes appears in the Called_Number field as 12155551220, sometimes appears as +12155551220, and other times appears as 2155551220. I have attempted to perform the search using wildcards like *in front of the shortest version however it seems to only occasionally work. Is it possible to evaluate for a substring with eval?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2011 05:50 PM

You have two problems with your use of eval:

  • You can't use wildcard patterns with the = operator in eval. You would have to use either the like() or searchmatch() eval functions, the LIKE operator, or use the replace() eval function and apply the = (or ==) operator to that.
  • You need to quote strings in eval. If you don't, eval tries to perform a numeric comparison (in which 0123 is equal to 123, and *123 is not a valid number).

So:

count(eval(replace(Calling_Number,"^(?:+1|1)?(.*)","\1") == "2155551220"))

is probably the best choice.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2011 05:53 PM

You could, if this is common, define a macro in macros.conf to normalize the phone number, and call that in your expressions everywhere

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-21-2010 05:20 PM

One potential easier solution might be to normalize the data after the fact. Something like this might work:

index="sandbox" sourcetype="as-cdr" |
rex mode=sed field=Calling_Number "s/(+1|1)(\d{10})/\2/" |
rex mode=sed field=Called_Number "s/(+1|1)(\d{10})/\2/" |
where Calling_Number=2155551220 OR Called_Number=2155551220 |
stats count(eval(Calling_Number=2155551220)) AS callsMade 
      count(eval(Called_Number=2155551220)) AS callsRecvd

That should filter off a "1" or "+1" at the beginning, if it's followed by a full 10 digits. I'm not 100% sure on the syntax, as splunk's sed differs a little from unix sed in terms of what needs a \ and what doesn't. But, it "should" work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...