Ruslan

Topics I've Started

Subject

Karma

Author

Any idea why eval doesn't assign value

Query example: index=eks sourcetype="kube:container" message=log | fields data.user_agent | rex field=data.user_agent mode=sed "s/[0-9]//g" | rex field=data.user_agent mode=sed "s/\.//g" | eval agent = data.user_agent | table data.user_agent, agent After this query `agent` column is empty. While data.user_agent is filled with data. Was expecting to have a text copy. Also if will add some logic, based on data.user_agent it will not work for reason as well: index=eks-prod sourcetype="kube:container:api-auth" message=web_login | fields data.user_agent | rex field=data.user_agent mode=sed "s/[0-9]//g" | rex field=data.user_agent mode=sed "s/\.//g" | eval agent = if(like(data.user_agent, "Mozilla%"), "browser", "device") | stats count by agent this will produce result with always "device", never "browser"

Karma given to

User

Karma Count

Posts	1
Solutions	0
Karma Given	2
Karma Received	0
Member Since	‎02-03-2021

Online Status	Offline
Date Last Visited	‎02-04-2021 06:16 PM

Are you a member of the Splunk Community?

Any idea why eval doesn't assign value

Any idea why eval doesn't assign value