Splunk Search

eval fails if fields have a ":" in their name

bnolen
Path Finder

I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:

source data example:

<c:ResponseHeader>
<c:StatusOk>true</c:StatusOk>
<c:StatusMessage/>
</c:ResponseHeader>
<c:AdminContractId>123456</c:AdminContractId>

search command I would like to use

| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId) 

fails with error

Error in 'eval' command: The expression is malformed. Expected ).

even a simpler standalone example

| eval myExample=an:example

fails with

Error in 'eval' command: The operator at ':example' is invalid.

Tags (2)

bfernandez
Communicator

You should wrap the fieldname name with '$'

For example:
| eval myExample=$an:example$

Genti
Splunk Employee
Splunk Employee

are you sure you get the same error for | eval example=an:example?
i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.

It seems to me that this is just not accepted. Fix your fileds is what i would say.

Here is an example i made up:

* | head 2000 | eval x:y=linecount | eval z=x:y

the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..

as a workaround try:

* | head 2000 | eval x:y=linecount | eval z="x:y"

note the ""
Cheerio,
.gz

bnolen
Path Finder

Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y

Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.

0 Karma

bnolen
Path Finder

I have found a hack type workaround - perform a sed before the xmlkv:

rex field=_raw mode=sed "s/\:/_/g"
0 Karma

bnolen
Path Finder

op updated to reflect actual error from the "cooked" example

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...