Splunk Search

Eval usage limit?

kmattern
Builder

Is there a limit to the number of eval functions that can be used in a single search? It appears that using more than about 17 eval statements the search will not even try to run. I just get a greyed out searchbar and a prohibited mouse pointer. I have one search that has 17 evals and it runs but I can't seem to cross that limit.

Tags (3)
0 Karma

devin_stonecyph
Explorer

Try using a case statement instead of all those ifs.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are no if expressions in the posted searches.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Running this query works without a hitch for me, with about four dozen evals:

| stats count as NUM | eval EVENT_DATE = NUM | eval SYS_CODE = NUM | eval DISC_TIME = NUM | eval STATUS = NUM | eval SLOT = NUM | eval MILES = NUM | eval WHEN_DWN = NUM | eval HOW_LOC = NUM | eval DMG_CD = NUM | eval DELAY = NUM | eval CHG = NUM | eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"
| eval ED2="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN2="<td>NUM<BR />".NUM."</td>"
| eval SC2="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT2="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST2="<td>STATUS<BR />".STATUS."</td>"
| eval DP2="<td>SLOT<BR />".SLOT."</td>"
| eval EB2="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD2="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR2="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF2="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY2="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC2="<td>CHG<BR />".CHG."</td>"
| eval ED3="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN3="<td>NUM<BR />".NUM."</td>"
| eval SC3="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT3="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST3="<td>STATUS<BR />".STATUS."</td>"
| eval DP3="<td>SLOT<BR />".SLOT."</td>"
| eval EB3="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD3="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR3="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF3="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY3="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC3="<td>CHG<BR />".CHG."</td>"

kristian_kolb
Ultra Champion

edited the comment to format as <code>, which shows the HTML kmattern is trying to create - I guess ...

0 Karma

linu1988
Champion

what are those dots doing int he bracket? on first look the query is wrong with mismatching quotes

0 Karma

kmattern
Builder

My evals tend to look like this.

| eval ED="<td>DATE<BR />".EVENT_DATE."</td>"
| eval EN="<td>NUM<BR />".NUM."</td>"
| eval SC="<td>SYS<BR />".SYS_CODE."</td>"
| eval DT="<td>TIME<BR />".DISC_TIME."</td>"
| eval ST="<td>STATUS<BR />".STATUS."</td>"
| eval DP="<td>SLOT<BR />".SLOT."</td>"
| eval EB="<td colspan='2'>VEHC MILES<BR />".MILES."</td>"
| eval WD="<td colspan='2'>WHEN DOWN<BR />".WHEN_DWN."</td>"
| eval HR="<td>HOW LOC<BR />".HOW_LOC."</td>"
| eval MF="<td>DMG CD<BR />".DMG_CD."</td>"
| eval DLY="<td colspan='4'>DELAY<BR />".DELAY."</td>"
| eval WUC="<td>CHG<BR />".CHG."</td>"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A large nubmer of eval calls in and of themselves seem fine to me:

| stats count
| eval foo0 = 1 | eval foo1 = 1 | eval foo2 = 1 | eval foo3 = 1 | eval foo4 = 1 | eval foo5 = 1 | eval foo6 = 1 | eval foo7 = 1 | eval foo8 = 1 | eval foo9 = 1
| eval foo10 = 1 | eval foo11 = 1 | eval foo12 = 1 | eval foo13 = 1 | eval foo14 = 1 | eval foo15 = 1 | eval foo16 = 1 | eval foo17 = 1 | eval foo18 = 1 | eval foo19 = 1
| eval foo20 = 1 | eval foo21 = 1 | eval foo22 = 1 | eval foo23 = 1 | eval foo24 = 1 | eval foo25 = 1 | eval foo26 = 1 | eval foo27 = 1 | eval foo28 = 1 | eval foo29 = 1
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...