Splunk Search
Highlighted

Why do I have to use eval for this search?

Explorer

Hi everyone, 

Why does this search return nothing

 

 

| stats count(status=200) AS Success

 

 

While this search returns what I expect?

 

 

 

| stats count(eval(status=200)) AS success

 

 

 

Labels (3)
0 Karma
Highlighted

Re: Why do I have to use eval for this search?

SplunkTrust
SplunkTrust

The eval function says the argument to count is an expression rather than a field.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why do I have to use eval for this search?

Communicator

@adamfrisbee 

In the first SPL there is no field named "status=200". So it fails.

| stats count(status=200) AS Success

The second one has eval nested in, which is equivalent to create a new filed with status=200. So now the stats count the new field.

| stats count(eval(status=200)) AS success

 

Hope this helps

0 Karma
Highlighted

Re: Why do I have to use eval for this search?

SplunkTrust
SplunkTrust
| stats count(eval(status=200))

does NOT create a new field nor does it assign a value to a field.  It merely examines the existing 'status' field in the event and returns 1 (true) if that value is 200 or 0 (zero) (false) if it is something else.  The count function then tabulates the eval results.

Note: stats count(eval(status=200)) may yield unexpected results when status<>200.  Compare it to stats sum(eval(status=200))

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: Why do I have to use eval for this search?

Explorer

I thought `eval` always created a new field? 

Why does it not in this case?

0 Karma
Highlighted

Re: Why do I have to use eval for this search?

SplunkTrust
SplunkTrust

I guess you could say eval works differently within the stats command.  Run this query to see for yourself.

| makeresults | eval status=404 
| stats count(eval(status=200)) as count, values(status) as status 
| table count status

 You should get "0  404" as the result, showing the eval function had no effect on the status field.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.