Splunk Search

eval,passing a value in eval

jaygamini
New Member

Hi all,

Please help me … not been success in passing the output of the search into a new search (different table).

index=voipdata 01448ACD5A7CCC212AFD039D
|stats values(MSISDN) as MSISDN|rex field=MSISDN "(?\d+)"|eval V5CallRoute1=if(tdr="V5CallRoute" AND PAITEL="{tel:+%phone%}",CallDataKey,NULL)
|table V5CallRoute1

Line by line explanation ...
index=voipdata 01448ACD5A7CCC212AFD039D |stats values(MSISDN) as MSISDN
// This returns a phone number {18433231540}
rex field=MSISDN "(?\d+)"
//This will format the above output to remove the bracket, hence 18433231540
eval V5CallRoute1=if(tdr="V5CallRoute" AND PAITEL="{tel:+%phone%}",CallDataKey,NULL)
//This is where I need help. Essentially , I’m searching the phone number on “V5CallRoute” table now. Here is an example of the field “PAITEL” -> PAITEL={tel:+18433231540} . So I ‘m trying to pass variable “phone” , apparently not getting any output.

Thanks

Tags (2)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

As you are doing |stats values(MSISDN) as MSISDN, fields (tdr , CallDataKey , PAITEL) which require in eval is dropped by stats command

so I have created run anywhere search with some sample data and it is producing desired output

| makeresults | eval MSISDN="{18433231540}", tdr="V5CallRoute", PAITEL="{tel:18433231540}", CallDataKey="test123"
| stats values(MSISDN) as MSISDN, values(tdr) AS tdr, values(CallDataKey) AS CallDataKey, values(PAITEL) AS PAITEL
| rex field=MSISDN "(?<phone>\d+)"
| eval V5CallRoute1=if(tdr="V5CallRoute" AND PAITEL="{tel:"+phone+"}",CallDataKey,NULL)
| table V5CallRoute1

So in your case your query will be

index=voipdata 01448ACD5A7CCC212AFD039D
| stats values(MSISDN) as MSISDN, values(tdr) AS tdr, values(CallDataKey) AS CallDataKey, values(PAITEL) AS PAITEL
| rex field=MSISDN "(?<phone>\d+)"
| eval V5CallRoute1=if(tdr="V5CallRoute" AND PAITEL="{tel:"+phone+"}",CallDataKey,NULL)
| table V5CallRoute1

I hope this helps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...