- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- EVAL JSON Consistency
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With JSON formatted events, I can do fun things like this:
sourcetype="microBreadcrumb" | stats sum(message.totalIdle) as sumTotalIdle | table sumTotalIdle
As you can see, there is no problem accessing and using the second level within the JSON tree (message.totalIdle). Why does this change when doing a simple eval like this?
sourcetype="microBreadcrumb" | eval test=message.totalIdle | table test
No results show up. My guess is the period character "." is normally utilized for string appends within an EVAL expression. Now, I can still accomplish the goal with spath:
sourcetype="microBreadcrumb" | eval test=spath(_raw,"message.totalIdle") | table test
JSON field referencing seems inconsistent between various pipe expressions. I would rather not clutter up the search with the spath function. Don't get me wrong, the spath function is cleaner than the spath pipe expression (ie. spath output=message_totalIdle path=message.totalIdle) but feel this is messy compared to basic k/v pair field references. Also, EVALs still allow field references at the root level but nothing deeper. Considering KV_MODE = json, I would enjoy referencing fields by the indexed "interesting fields" names on the left hand side panel.
Am I missing something simple here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've never used JSON-formatted data in Splunk, but does it work if you enclose the name in single quotes? E.g. eval test='message.totalIdle'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Single quotes actually work. Great job!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tks.. its help me to
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes sense to me. I probably tried every bracket character besides single quotes. It's critical details like these you skim over in the documentation. Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to hear. I'm not sure exactly how the search parser thinks, but I think the distinction between the cases is that for sum(message.totalIdle), the only way it makes sense is to treat the whole string as a single field name, whereas in the eval test=message.totalIdle it's ambiguous what the dot is supposed to do, so you need to use the single quotes to explicitly say "this is a field name; take its value."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"jaw drop" It does! Thank you cphair, this is perfect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've never used JSON-formatted data in Splunk, but does it work if you enclose the name in single quotes? E.g. eval test='message.totalIdle'
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
