- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to run a search within an eval if s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to run a search within an eval if statement?
Hello,
I am wondering if it possible to do a search within an "if" statement. I have tried what I have in the search below, but it does not appear to be working. Any assistance is helpful. Please be aware this is just a test search to see if this is possible, the search within the if statement will be changed at a later time.
|inputlookup TEST.csv
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN
| where !isnull(Valid_User) AND type="Group"
| fields - Valid_User message_id
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host], "")
|table Recipient Subject type
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as you search is returning a string/number, in single row that can be assigned/used in eval expression, it'll work.
|inputlookup TEST.csv
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN
| where !isnull(Valid_User) AND type="Group"
| fields - Valid_User message_id
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | eval search="\"".host."\"" | table search ], "")
|table Recipient Subject type
So the subsearch within eval is returning just single string value, enclosed in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue, however my search returns a table. Based on the if condition one of two searches is executed and the return type in both cases is a table. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, all my numerous tests show that the query in the test case will run regardless of the tests results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the search you provided(I changed some of the wording to fit my environment) I keep getting this error. Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , "")'. Any idea as to why this is happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need to use return host or return $host after head 1 | instead of the eval search ... | table search
something like
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return host], "")
or
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return $host], "")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your second search worked. We have to put return $field.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
