Splunk Search

eval fails if fields have a ":" in their name

bnolen
Path Finder

I have some data in the form of xml records. The fields extract fine using the xmlkv operator, but I can not perform coaelese or similar eval functions because of the ":" in the name of the key fields I am interested in:

source data example:

<c:ResponseHeader>
<c:StatusOk>true</c:StatusOk>
<c:StatusMessage/>
</c:ResponseHeader>
<c:AdminContractId>123456</c:AdminContractId>

search command I would like to use

| xmlkv |eval ctxid=coalesce(c:AdminContractId, contract:AdminContractId) 

fails with error

Error in 'eval' command: The expression is malformed. Expected ).

even a simpler standalone example

| eval myExample=an:example

fails with

Error in 'eval' command: The operator at ':example' is invalid.

Tags (2)

bfernandez
Communicator

You should wrap the fieldname name with '$'

For example:
| eval myExample=$an:example$

Genti
Splunk Employee
Splunk Employee

are you sure you get the same error for | eval example=an:example?
i believe it should actually be "Error in 'eval' command: The operator at ':example' is invalid.

It seems to me that this is just not accepted. Fix your fileds is what i would say.

Here is an example i made up:

* | head 2000 | eval x:y=linecount | eval z=x:y

the first eval works just fine, and a new field called x:y gets created, however the second eval, breaks. Again, i believe its normal behavior, but we could possibly ask our Dev's and find out for sure..

as a workaround try:

* | head 2000 | eval x:y=linecount | eval z="x:y"

note the ""
Cheerio,
.gz

bnolen
Path Finder

Your solution of encasing the RHS of the equals sign in quotation marks means that it is treated as a string, thus Z will always equal the literal string "x:y" and not the value of variable x:y

Nice idea though, but tried that already, as well as trying to "escape" and colon with a backslash... also no joy.

0 Karma

bnolen
Path Finder

I have found a hack type workaround - perform a sed before the xmlkv:

rex field=_raw mode=sed "s/\:/_/g"
0 Karma

bnolen
Path Finder

op updated to reflect actual error from the "cooked" example

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...