I have an error in eval command: expression malformed

| eval foo=[ | inputlookup funz.csv | search funz="Anagrafe" | eval query=serv | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" "" ]

where I'm going wrong?
Bye.
Giuseppe

Ok the problem is that I forgot to use stats command to aggregate results that are very many!
Every way now runs, slowly, but runs!
Thank you.
Bye.
Giuseppe

Thank you sundareshr ,
I already tryed using query

| eval query="*"+lookup_field1+"* *"+lookup_field2+"*" | fields query

And in this way I find results in my main search, but the problem is that I need the query values of each event.
Is there a way to pass the query value bot as value and as a field from a subsearch?
Bye.
Giuseppe

Not sure I understand. Can you share some sample? You want eval x_{lookup_field1}=lookup_field1 | rename x_* AS *?

this is my search

index=syslog
[ | inputlookup funz.csv 
   | eval query="*"+serv+"* *"+oper+"*" 
   | fields query
    ]
| stats values(serv) AS serv values(oper) AS oper count by field1 fields2

where "serv" and "oper" are lookup fields that I have to use to search in text search in my main search.
My problem is that before stats command there isn't a field called "query" to show.

I need to show a stat by field1 and field2, but I have to show also serv and oper and I don't know how to take them.

Thank you.

Bye.
Giuseppe

Does the lookup file have field1 and/or field2? If not, how do you decide which serv/oper pair maps to which event in syslog?

I'm thinking, something like this

index=syslog
 [ | inputlookup funz.csv 
    | eval query="*"+serv+"* *"+oper+"*" 
    | fields query
     ]
| lookup funz.csv field1 OUTPUT serv oper
| stats values(serv) AS serv values(oper) AS oper count by field1 fields2

my lookup has both the fields.
The problem is that I use serv and oper in text search not in a field search so to do this I have to use query field, and in this case query value isn't stored in a field.
In other words I don't know how to have query value in a field.
I have to use both of them, but there is the problem also with one of them.
In your example I haven't field1 in my search result because serv and oper are a substring of my row, see the following example
2016-12-06 13:04:27,819 133063049 [pool-8-thread-2] ERROR loggerinformation.internal.it.copergmps ? - Code Type descr < [WebContainer : 45] EJBException{HASERVICES}it.coper.soa.agg_v03.serv.aaa03Bean :
serv=aaa oper=bbb
as you can see aaa is a part of it.coper.soa.agg_v03.serv.aaa03Bean and bbb is a part of
aggbbb but they arent fields of my result.
In other words if I could use the "query" field after subsearch I'd solve my problems.
Or if it could be possible to store a value in a variable setted in my subsearch and used after pipe.

Bye.
Giuseppe

How about this?

| inputlookup funz.csv | fields serv oper | map search="index=syslog $serv$ $oper$ | eval oper=\"$oper\"$ | eval serv=\"$serv$\""

I have no results and this message in Process Inspector
The search result count (493) exceeds maximum (10), using max. To override it, set maxsearches appropriately.
Unable to run query 'index=....
Bye.
Giuseppe

Add maxsearches option to the max command.

 | inputlookup funz.csv | fields serv oper | map maxsearches=500 search="index=syslog $serv$ $oper$ | eval oper=\"$oper\"$ | eval serv=\"$serv$\""

Hi jmallorquin,
my problem is that I have fields in lookup but not in search.
I have to search using only values not fields and I did it using query.
But the problem is that I need to know the query values (there are two values for each lookup row) that are satisfied by each result.
But query value isn't recorded in any field.
Bye.
Giuseppe