Splunk: How Does One Use A JSON Field In Eval?
January 21, 2015
Posted by on
Today I observed an unusual property of a Splunk search: the JSON fields appeared to be hidden in the eval command, that is none of the JSON fields seemed accessible in the eval command.
Then I hit upon this post. And Splunk’s eval reference page which states:
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+’server-1′.
Basically, to access a JSON field in an eval function, they should be referenced with single quotes around them.
search |eval myval='record.delay'
You may want to use the tostring() or tonumber() functions, e.g.:
search |eval excessive=if( tonumber('record.delay') > 10, "Y", "N" )
Note that if you use double quotes you will get the literal string not the value of the JSON record you probably wanted.