Why isn't this query working for me (using stats, ...

rbednark · ‎06-26-2019

The following query is not working for me:

message.meta.service=foo
| stats 
    count(eval(message.meta.route="/foobar/publish")) as publishes

It always results in publishes being 0, when it should be greater than 0 (e.g., 55).

Doing a query of just:
message.meta.route="/foobar/publish"
returns multiple events (e.g., 55), but wh

woodcock · ‎06-29-2019

Try this:

 index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND message.meta.service=foo
| stats count(eval('message.meta.route'="/foobar/publish")) AS publishes

You must encapsulate the field name in single-quotes because it contains periods.

gkolstad · ‎06-26-2019

Working with rbednark we discovered that renaming the variable allowed the eval and count to work as expected.
Can't use . in an eval comparison I guess?

message.meta.service=foo
| rename message.meta.route as route
| stats 
count(eval(route="/foobar/publish")) as publishes

somesoni2 · ‎06-26-2019

Try this (fields with special characters in its name should be enclosed in single quotes when used in expressions of eval/where)

 message.meta.service=foo
 | stats 
     count(eval('message.meta.route'="/foobar/publish")) as publishes

gkolstad · ‎06-26-2019

Renaming the variable allowed it to work.

message.meta.service=foo
| rename message.meta.route as route
 | stats 
     count(eval(route="/foobar/publish")) as publishes

Why isn't this query working for me (using stats, eval, count)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation