Solved: Help adding pipe "l" for all results

kc_prane · ‎08-30-2022

Hello - I am getting the below error. I am trying to add pipe "|" for all the results.

Error : Failed to parse templatized search for field 'ResponseTime(ms)'

My search :

| table PeriodDate VendorName ContractName OccMetricCode Pagekey TransactionType TransactionDatetime ResponseTime(ms) Comment
| foreach * [ eval <<FIELD>>="|".<<FIELD>>."|"]

I am not getting pipe seperated results only for ResponseTime

PeriodDate	ResponseTime(ms)	Comment
\|2022/08/30\|	0	\|\|

Thanks in advance

ITWhisperer · ‎08-30-2022

Try something like this

| table PeriodDate VendorName ContractName OccMetricCode Pagekey TransactionType TransactionDatetime ResponseTime(ms) Comment
| foreach * [ eval "<<FIELD>>"="|".'<<FIELD>>'."|"]

View solution in original post

bowesmana · ‎08-30-2022

To add to @ITWhisperer reply. When handling field names that start with numbers, or contain 'odd' characters, e. g. in this case the brackets, (), you need to use single quote characters on the right hand side of eval. It's always sensible, particularly when using foreach, to DOUBLE quote the left hand side of the eval, i.e.

| eval "QUOTED NAME"='Quoted(ms) field'

ITWhisperer · ‎08-30-2022

Try something like this

| table PeriodDate VendorName ContractName OccMetricCode Pagekey TransactionType TransactionDatetime ResponseTime(ms) Comment
| foreach * [ eval "<<FIELD>>"="|".'<<FIELD>>'."|"]

kc_prane · ‎09-21-2022

Thanks @ITWhisperer

Help adding pipe "l" for all results

fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases