Solved: Why can't I do an eval with a rest call in a subse...

nick405060 · ‎11-29-2018

Hi there,

I'm trying to add a column to my base search that is the user currently logged into Splunk. This is a code snippet I'll call REST:

search index=_internal [ rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)=="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user

I can eval to the code snippet, if it's not a subsearch:

| makeresults | eval user=[<REST>]

However, I cannot eval to the code snippet as a subsearch:

<search base="all">
    <query>
| eval user= [<REST>] | table *
    </query>

It just tells me:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

I don't have the problem if I do the exact same thing but change the code snippet so that it doesn't involve a rest call.

cmerriman · ‎11-29-2018

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

View solution in original post

nick405060 · ‎11-29-2018

I also tried this using a left join as a pseudo eval... and it still doesn't work. I think that search index=_internal \[ rest /services/authentication/current-context/context | fields + username] just hates being inside other brackets no matter if it's a left join or eval

cmerriman · ‎11-29-2018

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

nick405060 · ‎11-29-2018

Okay awesome, got it! I'm not sure if you meant I should create a token in the base search that I should use in the subsearch (I think that's what you meant), which is what I mentioned in my previous comment as still not working.

However, if I create a third "hidden" search that is JUST the rest call, then I can use that token in the subsearch. So basically the order Splunk processes the data is, rest_search (creating token) -> base_search -> subsearch (uses token)

nick405060 · ‎11-29-2018

Interesting, when I saw your answer I got excited because it definitely seems like that would fix it. However, if I do what you described and move REST to the base search and create a token, then I get the same error in the base search. Just like before, if I edit the REST code snippet so that it no longer involves a rest call, then I no longer get the error.

Since the REST code snippet works by itself, there must be something going on in my base search that somehow makes it not work.... I have no idea what it could be. My base search is only inputcsvs, index searches, and joins.

cmerriman · ‎11-29-2018

Can you share your xml? This works on my test dashboard. What version are you on? What capabilities does your role/user have?

Why can't I do an eval with a rest call in a subsearch?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes