Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

eval command

dbcase
Motivator
‎11-20-2017 03:52 PM

Ok I'm feeling kinda stupid

this query works

index=wholesale_app buildTarget=comcast analyticType=SessionStart   |eval hardwaretype=Properties.platformData.HC|stats count by Properties.platformData.HC

but this one dosen't

index=wholesale_app buildTarget=comcast analyticType=SessionStart   |eval hardwaretype=Properties.platformData.HC|stats count by hardwaretype

Scratches head ------ what am I missing?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-20-2017 04:01 PM

The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed.
You should either use the fieldProperties.platformData.HCin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:

index=wholesale_app buildTarget=comcast analyticType=SessionStart    |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎11-20-2017 04:03 PM

When you take out the stats command, does hardwaretype come back as a field with values?
Can you try |eval hardwaretype='Properties.platformData.HC' or |rename "Properties.platformData.HC" as hardwaretype

Reply
Solved! Jump to solution

dbcase
Motivator
‎11-20-2017 05:50 PM

Hi Cmerriman,

without the single quotes hardware model just comes back as blank/null

once the single quotes were added things started working as expected.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-20-2017 04:01 PM

The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed.
You should either use the fieldProperties.platformData.HCin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:

index=wholesale_app buildTarget=comcast analyticType=SessionStart    |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype
Reply
Solved! Jump to solution

dbcase
Motivator
‎11-20-2017 05:29 PM

interesting so the dot has dual purpose? Meaning the only way I know how to refer to a json object that has multiple levels is

level1.level2.level3

and the dot is used for concatenation as well

thats not confusing at all 🙂

Thanks Somesoni2!!! Saved large clumps of my hair 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...