Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval not matching value from Data model

snemiro_514
Path Finder
‎10-24-2014 12:11 PM

Im rewritting a dashboard using data models. So far so good, but I'm stuck at this point where I need to redefine two new fields and the eval command is not matching the result.

My data model has a child object field TEST.status with values SUCCESS and ERROR.

In my previous chart, direct from the index I had:

search index | chart count as "#", count(eval(status=SUCCESS)) as Good, count(eval(status!=SUCCESS)) as ERR

which works, showing a table with count of total events, count of success and count of errors

Now, using my TEST object I'm doing the same thing, replacing the status by TEST.status, but it shows 0 counts.

| datamodel DM1 TEST search | chart count as "#", count(eval(TEST.status="SUCCESS)) as Good

The values are the same.... what could be wrong??

If I do a
| chart count by TEST.status

I have both values (SUCCESS, ERROR) listed with the proper number of events.

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-24-2014 12:43 PM

Enclose the field name in single quotes: eval('TEST.status'="SUCCESS")

The dot in the field name is treated by eval as the concatenation operator, adding the (non-existent) strings in TEST and status together, just like having a field named foo-bar will cause a subtraction to happen. The single quote tells eval to not do that.

Your chart example works because it doesn't attempt to apply any operators, it just treats the whole string as a field name right away.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-24-2014 12:43 PM

Enclose the field name in single quotes: eval('TEST.status'="SUCCESS")

The dot in the field name is treated by eval as the concatenation operator, adding the (non-existent) strings in TEST and status together, just like having a field named foo-bar will cause a subtraction to happen. The single quote tells eval to not do that.

Your chart example works because it doesn't attempt to apply any operators, it just treats the whole string as a field name right away.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...