Splunk Search

Is it possible to pass an eval value to table command?

raymondc
Engager

Hi,

I have a string with fields that I want to show in a table. (eval -> my_fields)

This is my search:

| makeresults 
| eval my_fields ="field_a field_b"
| eval field_a ="My Value A", field_b ="Other Value B" 
| table my_fields

And this is my search output:

my_fields
field_a field_b

But I want my result to be like this:

 field_a    | field_b
 My Value A | Other Value B

How can I do this?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can't pass a field value to a table command, but since your field names (in your sample search) are static, you can use subsearch like this to achieve the same.

| makeresults 
 | eval field_a ="My Value A", field_b ="Other Value B" 
 | table [|makeresults |  eval search ="field_a field_b" | table search ]

The 'search' is a special field name which will return the string value from the subsearch

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

You want to have one field that will determine which other fields will be displayed.

Two easy ways, the first describing @somesoni2's above...

your first search that gets values of fieldA and fieldB and potentially other fields
| table [ search your second search that returns names of fieldA and fieldB in a field named search as the only field ]

.. . or the alternate...

your second search that returns names of fieldA and fieldB in a field named foo (and we dont care how many other fields) 
| map search="search your first search that gets values of fieldA, field B and potentially other fields | table $foo$"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can't pass a field value to a table command, but since your field names (in your sample search) are static, you can use subsearch like this to achieve the same.

| makeresults 
 | eval field_a ="My Value A", field_b ="Other Value B" 
 | table [|makeresults |  eval search ="field_a field_b" | table search ]

The 'search' is a special field name which will return the string value from the subsearch

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...