Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval fails if fields have a ":" in their name

bnolen
Path Finder
‎10-15-2010 12:26 AM

I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:

source data example:

<c:ResponseHeader>
<c:StatusOk>true</c:StatusOk>
<c:StatusMessage/>
</c:ResponseHeader>
<c:AdminContractId>123456</c:AdminContractId>

search command I would like to use

| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId)

fails with error

Error in 'eval' command: The expression is malformed. Expected ).

even a simpler standalone example

| eval myExample=an:example

fails with

Error in 'eval' command: The operator at ':example' is invalid.

Tags (2)
Reply

bfernandez
Communicator
‎11-27-2012 02:54 AM

You should wrap the fieldname name with '$'

For example:
| eval myExample=$an:example$

Reply

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 01:05 AM

are you sure you get the same error for | eval example=an:example?
i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.

It seems to me that this is just not accepted. Fix your fileds is what i would say.

Here is an example i made up:

* | head 2000 | eval x:y=linecount | eval z=x:y

the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..

as a workaround try:

* | head 2000 | eval x:y=linecount | eval z="x:y"

note the ""
Cheerio,
.gz

Reply

bnolen
Path Finder
‎10-16-2010 12:11 PM

Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y

Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.

0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:50 AM

I have found a hack type workaround - perform a sed before the xmlkv:

rex field=_raw mode=sed "s/\:/_/g"
0 Karma
Reply

bnolen
Path Finder
‎10-15-2010 01:12 AM

op updated to reflect actual error from the "cooked" example

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...