Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

eval fails if fields have a ":" in their name

bnolen
Path Finder
‎10-15-2010 12:26 AM

I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:

source data example:

<c:ResponseHeader>
<c:StatusOk>true</c:StatusOk>
<c:StatusMessage/>
</c:ResponseHeader>
<c:AdminContractId>123456</c:AdminContractId>

search command I would like to use

| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId)

fails with error

Error in 'eval' command: The expression is malformed. Expected ).

even a simpler standalone example

| eval myExample=an:example

fails with

Error in 'eval' command: The operator at ':example' is invalid.

Tags (2)
Reply

bfernandez
Communicator
‎11-27-2012 02:54 AM

You should wrap the fieldname name with '$'

For example:
| eval myExample=$an:example$

Reply

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 01:05 AM

are you sure you get the same error for | eval example=an:example?
i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.

It seems to me that this is just not accepted. Fix your fileds is what i would say.

Here is an example i made up:

* | head 2000 | eval x:y=linecount | eval z=x:y

the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..

as a workaround try:

* | head 2000 | eval x:y=linecount | eval z="x:y"

note the ""
Cheerio,
.gz

Reply

bnolen
Path Finder
‎10-16-2010 12:11 PM

Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y

Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.

0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:50 AM

I have found a hack type workaround - perform a sed before the xmlkv:

rex field=_raw mode=sed "s/\:/_/g"
0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:12 AM

op updated to reflect actual error from the "cooked" example

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...