Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does the query only work in eval and not f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-01-2018
01:59 PM
Hi,
I have this query. If I change fieldformat to eval the query works but if it is left as fieldformat the query returns no results. First time I'm trying to use fieldformat so I don't quite understand what I'm missing.
earliest=-24h index=wholesale_app buildTarget=* product=* CustomAnalytic Properties.index=17 OR Properties.index=19 OR Properties.index=21 OR Properties.index=23 OR (Properties.index=>25 AND Properties.index<=32) buildTarget=* product=* |rename Properties.index as pindex|fieldformat pindextype=case(pindex == "17", "CVR Event Selected", pindex == "19", "CVR Fetch Events",pindex == "21", "CVR Event View Ended", pindex == "23", "CVR Play Pressed",pindex == "25", "CVR Pause Pressed", pindex == "26", "CVR Landscape Orientation",pindex == "27", "CVR Portrait Orientation", pindex == "28", "CVR Jump Forward", pindex == "29", "CVR Jump Back", pindex == "30", "CVR Video Session Started", pindex == "31", "CVR Video Error", pindex == "32", "CVR Range Set")|stats count by pindextype
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-01-2018
02:40 PM
The function fieldformat is used to change the format of "existing" field without changing underlying value. Here the field pindextype doesn't exist hence can't be used with fieldformat command. You've to either use eval itself OR use fieldformat with existing field "pindex"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-01-2018
02:40 PM
The function fieldformat is used to change the format of "existing" field without changing underlying value. Here the field pindextype doesn't exist hence can't be used with fieldformat command. You've to either use eval itself OR use fieldformat with existing field "pindex"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-01-2018
02:41 PM
Of course, your last stats command would change too if you plan to use existing field pindex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-01-2018
02:47 PM
Ahhhhh thats what I missed ... EXISTING field, now it makes sense
Thanks Somesoni2! (again)
Get Updates on the Splunk Community!
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
