As @yuanliu says, quoting and eval is a little complicated and can be a little confusing

Just remember the rule with eval

Left hand side (LHS) of the eval statement can ONLY use double quotes and only if needed, e.g. 

| eval "status"=case(...)

does NOT need double quotes as it does not contain spaces and can be written as

| eval status=case(...)

However, this left hand side MUST use double quotes, as it contains spaces

| eval "Total Errors"=123

Right hand side (RHS) of the eval 

• Is written without any quotes if a simple field name (e.g. just letters)
  • e.g. status
• SINGLE quotes if the field contains certain special characters or starts with a number
  • e.g. 'Total Errors' or '1stValue' or 'my:Special:Field'

Note though how the following seems confusing with treatment of LHS and RHS names

| eval 1stValue=123
| eval value='1stValue'

Although the 1stValue assignment does NOT need double quotes on the LHS even though it starts with a number, the RHS DOES need single quotes, so eval does not start to treat it as a number.

As a general rule, it is always safe to use SINGLE quotes round a field on the RHS. In your example, you put the 'Suman...' in single quotes, so Splunk thought that was a field you were assigning to new_field, hence it had no value.

In addition to this - note that the previous comment applies to EVAL and NOT to other operations such as aggregations.

In that case, you will use double quotes - yes I know this is confusing - but take this for example where you have fields called

• sale price
• sale quantity

both contain spaces and need a single quote in the EVAL, but in the stats command, the sale quantity field needs to be encapsulated in DOUBLE quotes, not single quotes.

| eval "dollar price"='sale quantity' * 'sale price'
| stats sum("dollar price") as "dollar total" sum("sale quantity") as quantity

---

Field name should be in double quotes.

---

Field name should not be in double quotes.  Double quote encloses literal strings in SPL.  Single quotes enclose field names.

---

@yuanliu wrote:

---

Field name should be in double quotes.

---

Field name should not be in double quotes.  Double quote encloses literal strings in SPL.  Single quotes enclose field names.

---

Correction.  Single quotes dereferences a field, i.e., points to a value.  When you compare with a number literal (200), you need a numerical value to compare, not a string.

The use of double quotes is slightly complicated.  When appearing on the left-hand side of an assignment or in tabulation (including groupby terms), they enclose field names.  In the right-hand side of an assignment or any other form of evaluation expression, they enclose literal strings.

Which means that my initial reply copied the original code too much.

source = "2access_30DAY.log"
 | eval "new_field" = case('status'==200, "Suman and Cloeh are best couple")
 | table status new_field

(When there is no ambiguity as to where the field name ends, i.e., no space or special characters in field name, you can skip single quotes.)