SysAdmin Blog

Splunk eval vs. variable names with dashes

Alexander Bochmann Wednesday 05 of April, 2017
I'm pretty certain I used to know this - but for the next time I'm putting this into a search engine and don't find it in the Splunk docs:

One of our data sources writes structured data into our Splunk installation which contains variable names with dashes - in this particular case, access-time

It's no problem using such a variable in a lot of Splunk operations, but it fails in an eval, as it will be interpreted as a mathematical operation (access minus time).

There's two options to work around that:

  1. the one mentioned in the Splunk documentation: Put the variable name in single quotes, i.e. | eval newtime='access-time' - constant
  2. the other one is to simply rename the variable before working on it: | rename access-time AS accesstime | eval newtime=accesstime - constant