Splunk Search

Using eval from outer search to inner

dhruv101
Path Finder

Hi,

I am aware that an eval in the parent search cannot be used in a subsearch like this -

| eval foo = .....  | eval bar = [search index='event' | eval alice = foo/10]

if subsearch is out of the question, then are joins the only way we can achieve this? Also, is it possible to return a multivalued field(list) in the above query and store it in bar, instead of returning a single number(like count using return $count). If so, how is it done?

Basically if I have an eval in one search and I want to extract a list of data from another search index where that eval needs to be used, how is it achieved?

Thanks.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dhruv101,

simply switch the searches, so that your sub search returns the eval result to the base search.
Try this run everywhere example, which will not any result:

index=_* 
    [ search index=_audit 
    | stats count by sourcetype 
    | sort - count 
    | head 5 
    | eval foo=case(count > 1000, "lots", count < 1000, "less", 1=1, "unknown") 
    | table foo 
    | format ]

But looking at the litsearch in job inspector you can see that foo was used in the base search 😉

litsearch (index=_* foo="lots") | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...