- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eval command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I'm feeling kinda stupid
this query works
index=wholesale_app buildTarget=comcast analyticType=SessionStart |eval hardwaretype=Properties.platformData.HC|stats count by Properties.platformData.HC
but this one dosen't
index=wholesale_app buildTarget=comcast analyticType=SessionStart |eval hardwaretype=Properties.platformData.HC|stats count by hardwaretype
Scratches head ------ what am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed. Properties.platformData.HC
You should either use the fieldin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:
index=wholesale_app buildTarget=comcast analyticType=SessionStart |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you take out the stats command, does hardwaretype come back as a field with values?
Can you try |eval hardwaretype='Properties.platformData.HC' or |rename "Properties.platformData.HC" as hardwaretype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cmerriman,
without the single quotes hardware model just comes back as blank/null
once the single quotes were added things started working as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fieldname you're using in stats in first query is Properties.platformData.HC which exists and stats works. The eval here may not be doing anything as |eval hardwaretype=Properties.platformData.HC is basically trying to concatenate values of fields Properties with field platformDate and field HC. The dot there is treated as concatenation operator. Assuming you don't have fields Properties,platformDateandHCin your data, the eval fails to populate field hardware type. That's why the second search failed. Properties.platformData.HC
You should either use the fieldin your stats like query 1 OR enclose theProperties.platformData.HC` in single quotes in eval, like this:
index=wholesale_app buildTarget=comcast analyticType=SessionStart |eval hardwaretype='Properties.platformData.HC'|stats count by hardwaretype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
interesting so the dot has dual purpose? Meaning the only way I know how to refer to a json object that has multiple levels is
level1.level2.level3
and the dot is used for concatenation as well
thats not confusing at all 🙂
Thanks Somesoni2!!! Saved large clumps of my hair 🙂
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
