Re: Why isn't this query working for me (using sta...

rbednark · ‎06-26-2019

The following query is not working for me:

message.meta.service=foo
| stats 
    count(eval(message.meta.route="/foobar/publish")) as publishes

It always results in publishes being 0, when it should be greater than 0 (e.g., 55).

Doing a query of just:
message.meta.route="/foobar/publish"
returns multiple events (e.g., 55), but wh

woodcock · ‎06-29-2019

Try this:

 index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND message.meta.service=foo
| stats count(eval('message.meta.route'="/foobar/publish")) AS publishes

You must encapsulate the field name in single-quotes because it contains periods.

gkolstad · ‎06-26-2019

Working with rbednark we discovered that renaming the variable allowed the eval and count to work as expected.
Can't use . in an eval comparison I guess?

message.meta.service=foo
| rename message.meta.route as route
| stats 
count(eval(route="/foobar/publish")) as publishes

somesoni2 · ‎06-26-2019

Try this (fields with special characters in its name should be enclosed in single quotes when used in expressions of eval/where)

 message.meta.service=foo
 | stats 
     count(eval('message.meta.route'="/foobar/publish")) as publishes

gkolstad · ‎06-26-2019

Renaming the variable allowed it to work.

message.meta.service=foo
| rename message.meta.route as route
 | stats 
     count(eval(route="/foobar/publish")) as publishes

Why isn't this query working for me (using stats, eval, count)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation