Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use subsearch to produce arguments for eval?

weichenglo
Engager
‎08-16-2015 10:13 PM

Hello,

I want to use a line predefined, to extract fields from _raw field.

e.g. "Name||Phone||Address"
==>

... | eval segs=split(_raw, "||")`
    | eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) ...`

I use the following code

[| stats c
| eval c=split([search index=defined | eval c="\"".replace(_raw,"[\(\)\-\s]","")."\"" | return $c],"||")
| mvexpand c | eval d=1 | accum d | eval d=d-1
| format "" "" "=mvindex(t_segs," ")" " | eval " ""
| eval search=replace(search,"[cd]=\s*","")
| eval search=replace(search,"\s*\"(\d+)\"\s*","\1")
| eval search=replace(search, "\"\s*","") | return $search]

To produce the argument:

`Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)`

But when the argument is returned to eval:
'index=contacts | eval segs=split(_raw, "||") | eval *[|stats c ... ... return $search]*
It tells me
** Error in 'eval' command: The operator at '| eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)' is invalid. **

I have no idea where the problem is. I think it must be equal to

index=contacts | eval segs=split(_raw, "||")
| eval Name=mvindex(segs,0) | eval Phone=mvindex(segs,1) | eval Address=mvindex(seg,2)

Thanks for your reading and replying!

Tags (3)
Reply

woodcock
Esteemed Legend
‎08-17-2015 03:06 PM

You have to do it one-by-one and return each parameter separately and assign it like this:

index=contacts | eval segs=split(_raw, "||") | eval  Name=[|stats c ... ... return $Name] | eval  Phone=[|stats c ... ... return $Phone] | eval  Address=[|stats c ... ... return $Address]

Or as a combo like this:

index=contacts | eval segs=split(_raw, "||") | eval NPA=[|stats c ... ... return $NamePhoneAddressEncodedByPipes] | eval rex field=NPA "(?<Name>[^\|]*)\|(?<Phone>[^\|]*)\|(?<Address>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...