Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

eval fails if fields have a ":" in their name

bnolen
Path Finder
‎10-15-2010 12:26 AM

I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:

source data example:

<c:ResponseHeader>
<c:StatusOk>true</c:StatusOk>
<c:StatusMessage/>
</c:ResponseHeader>
<c:AdminContractId>123456</c:AdminContractId>

search command I would like to use

| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId)

fails with error

Error in 'eval' command: The expression is malformed. Expected ).

even a simpler standalone example

| eval myExample=an:example

fails with

Error in 'eval' command: The operator at ':example' is invalid.

Tags (2)
Reply

bfernandez
Communicator
‎11-27-2012 02:54 AM

You should wrap the fieldname name with '$'

For example:
| eval myExample=$an:example$

Reply

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 01:05 AM

are you sure you get the same error for | eval example=an:example?
i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.

It seems to me that this is just not accepted. Fix your fileds is what i would say.

Here is an example i made up:

* | head 2000 | eval x:y=linecount | eval z=x:y

the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..

as a workaround try:

* | head 2000 | eval x:y=linecount | eval z="x:y"

note the ""
Cheerio,
.gz

Reply

bnolen
Path Finder
‎10-16-2010 12:11 PM

Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y

Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.

0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:50 AM

I have found a hack type workaround - perform a sed before the xmlkv:

rex field=_raw mode=sed "s/\:/_/g"
0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:12 AM

op updated to reflect actual error from the "cooked" example

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...