Dashboards & Visualizations

Using eval within a Search Template?

Tisiphone_1
Explorer

Apologies if this is a novice question, but when I attempt to use any eval statement within a form Search Template, nothing appears to work:

    <searchTemplate>

    index=test | eval searchstring = if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") 
  | search index=test $searchstring$

    </searchTemplate>

Is there something obvious that I am doing wrong? I am looking at the eval documentation, and this seems to be precisely how you are supposed to set a value to a variable. Yet, the variable does not seem usable in the next search. When I look at my search results, I see the form variables resolving, but not the one I set in the eval statement.

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oh I guess you can also use a second subsearch, not sure if that will help.

0 Karma

Tisiphone_1
Explorer

Just FYI, it works great, except for one instance - " " OR (argument) is treated as (any) OR (argument).

I'll find a workaround.

0 Karma

Tisiphone_1
Explorer

Thanks a bunch. That was much more detail than the documentation goes into.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes. The subsearch is implicitly sent to "format" and the resulting string inserted into the search. You can either just concatenate a bigger expression into the value "search". Or you can go back and re-do the whole thing as a macro.

0 Karma

Tisiphone_1
Explorer

OK, so 'search' is actually evaluated and piped back.

What if I want to use more than one IF statement?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should not have the additional search at the end.

0 Karma

Tisiphone_1
Explorer

Hmm,

I am doing index=test [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ] | search index=test $search$

But I always get "The specified search will not match any events"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...