How to use subsearch to produce arguments for eval...

weichenglo · ‎08-16-2015

Hello,

I want to use a line predefined, to extract fields from _raw field.

e.g. "Name||Phone||Address"
==>

... | eval segs=split(_raw, "||")`
    | eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) ...`

I use the following code

[| stats c
| eval c=split([search index=defined | eval c="\"".replace(_raw,"[\(\)\-\s]","")."\"" | return $c],"||")
| mvexpand c | eval d=1 | accum d | eval d=d-1
| format "" "" "=mvindex(t_segs," ")" " | eval " ""
| eval search=replace(search,"[cd]=\s*","")
| eval search=replace(search,"\s*\"(\d+)\"\s*","\1")
| eval search=replace(search, "\"\s*","") | return $search]

To produce the argument:

`Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)`

But when the argument is returned to eval:
'index=contacts | eval segs=split(_raw, "||") | eval *[|stats c ... ... return $search]* It tells me ** Error in 'eval' command: The operator at '| eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)' is invalid. **

I have no idea where the problem is. I think it must be equal to

index=contacts | eval segs=split(_raw, "||")
| eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)

Thanks for your reading and replying!

woodcock · ‎08-17-2015

You have to do it one-by-one and return each parameter separately and assign it like this:

index=contacts | eval segs=split(_raw, "||") | eval  Name=[|stats c ... ... return $Name] | eval  Phone=[|stats c ... ... return $Phone] | eval  Address=[|stats c ... ... return $Address]

Or as a combo like this:

index=contacts | eval segs=split(_raw, "||") | eval NPA=[|stats c ... ... return $NamePhoneAddressEncodedByPipes] | eval rex field=NPA "(?<Name>[^\|]*)\|(?<Phone>[^\|]*)\|(?<Address>.*)"

How to use subsearch to produce arguments for eval?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life