Solved: Error in 'eval' command: The operator at '{}.Instr...

TheMilkMan · ‎08-21-2015

Do you know why I get the following error message?

vols{}.Instrument is a valid field but it doesn't like the {}.

index=gasvol | head 1 | eval Contract=vols{}.Instrument + " " + vols{}.SequenceItem | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

Error in 'eval' command: The operator at '{}.Instrument' is invalid.

somesoni2 · ‎08-21-2015

You go two options here

Rename so that special characters are removed by the field names

index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume
Enclose the fields within single quotes for eval and where commands

index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

View solution in original post

TheMilkMan · ‎08-25-2015

I worked it, you need to split the JSON array using spath then use mvexpand to extract the collection.

index=gasvol | head 1 | spath output=myfield path=vols{} | mvexpand myfield | spath input=myfield | eval Contract=Instrument. " " .SequenceItem | table Contract Broker Volume

TheMilkMan · ‎08-24-2015

Thanks both for your help.

This resolved the problem but when I try to join Instrument and SequenceItem the field is blank. It doesn't seem to structure the results like it does display in the table, if I do min then it gives me a value but not the correct value eval Contract2=min(Instrument)." ".min(SequenceItem).

index=gasvol | head 1 | rename vols{}.* as * | table Instrument SequenceItem Broker Volume Contract Contract2 | eval Contract=Instrument." ".SequenceItem

TheMilkMan · ‎08-24-2015

Thanks

Still doesn't work, I think it's related to the level that eval handles events. Any eval events doesn't seem to work on a row basis.

The source data is JSON and Splunk is extracing the collection.

[{"Volume": 10, "Instrument": "FTSE100", "Broker": "FTSE", "SequenceItem": "SPOT"}, {"Volume": 20, "Instrument": "FTSE250", "Broker": "LSE", "SequenceItem": "SPOT"}

richgalloway · ‎08-24-2015

Try rearranging things a little:

index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument." ".SequenceItem | eval Contract2=min(Instrument)." ".min(SequenceItem) | table Instrument SequenceItem Broker Volume Contract Contract2

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎08-21-2015

You go two options here

Rename so that special characters are removed by the field names

index=gasvol | head 1 | rename vols{}.* as * | eval Contract=Instrument + " " + SequenceItem | table Broker Contract Volume
Enclose the fields within single quotes for eval and where commands

index=gasvol | head 1 | eval Contract='vols{}.Instrument' + " " + 'vols{}.SequenceItem' | rename vols{}.Broker as "Broker" vols{}.Volume as "Volume" | table Broker Contract Volume

richgalloway · ‎08-21-2015

I suggest you rename the data model, if you can. Using special characters other than '_' is asking for trouble.

If you can't rename the model itself, try using the rename search command to change "vols{}" to "vols".

index=gasvol | head 1 | rename "vols{}" as vols | eval Contract=vols.Instrument + " " + vols.SequenceItem | rename vols.Broker as "Broker" vols.Volume as "Volume" | table Broker Contract Volume

---
If this reply helps you, Karma would be appreciated.

Error in 'eval' command: The operator at '{}.Instrument' is invalid.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms