Documenting Problems That Were Difficult To Find The Answer To

Splunk: How Does One Use A JSON Field In Eval?

Today I observed an unusual property of a Splunk search: the JSON fields appeared to be hidden in the eval command, that is none of the JSON fields seemed accessible in the eval command.

Then I hit upon this post. And Splunk’s eval reference page which states:

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+’server-1′.

Basically, to access a JSON field in an eval function, they should be referenced with single quotes around them.

search |eval myval='record.delay'

You may want to use the tostring() or tonumber() functions, e.g.:

search |eval excessive=if( tonumber('record.delay') > 10, "Y", "N" )

Note that if you use double quotes you will get the literal string not the value of the JSON record you probably wanted.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: