I'm pretty certain I used to know this - but for the next time I'm putting this into a search engine and don't find it in the Splunk docs:
One of our data sources writes structured data into our Splunk installation which contains variable names with dashes - in this particular case, access-time
It's no problem using such a variable in a lot of Splunk operations, but it fails in an eval , as it will be interpreted as a mathematical operation (access minus time).
There's two options to work around that:
One of our data sources writes structured data into our Splunk installation which contains variable names with dashes - in this particular case, access-time
It's no problem using such a variable in a lot of Splunk operations, but it fails in an ev
There's two options to work around that:
- the one mentioned in the Splunk documentation: Put the variable name in single quotes, i.e. | eval newtime='access-time' - constant
- the other one is to simply rename the variable before working on it: | rename access-time AS accesstime | eval newtime=accesstime - constant