When I run a search by itself, it works fine, but ...

mcgi906 · ‎07-13-2016

index=a | eval SPLITid=[search index=b | eval tempid= substr(SPLITLOTID,2,8) | return $tempid ] | table SPLITid

When I run the search by itself, it works fine, but when I run it as a subsearch the table is empty. Any ideas as to why?

mohebtalukder · ‎07-13-2016

Below search works:

index=_* | eval SPLITid=[search index=_audit | eval tempid=substr(id,2,5) | return $tempid] | table SPLITid

But next one did not work for me when I changed the field name:

index=_* | eval SPLITid=[search index=_audit | eval tempid=substr(source,2,5) | return $tempid] | table SPLITid

So, I will suggest you to lookinto substr command. Put it in between " " like below:

"substr(source,2,3)"

Working search:

index=_* | eval SPLITid=[ search index=_audit | eval tempid="substr(source,2,3)" | return $tempid] | table SPLITid

I hope you will find it helpful!!

somesoni2 · ‎07-13-2016

Give this a try

index=a | eval SPLITid=[search index=b | eval search= "\"".substr(SPLITLOTID,2,8)."\"" | return search ] | table SPLITid

When I run a search by itself, it works fine, but when I run it as a subsearch, why is the resulting table empty?