Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a subsearch in an eval line

htkhtk
Path Finder
‎09-24-2010 08:31 PM

I have some requests/responses going through my system. I want to get the size of each response.

The only information I have is a number of lines per request (each line is 4mb)

Currently i do the following:

eval ResponseSize=eventcount * 4

The 4mb might change so there is another place in the log file that prints what that size is.

Can I do a subsearch to pull this number and use it in the multiplication eval to get the ResponseSize?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-24-2010 08:38 PM

You can use the fact that a subsearch will render the "query" field literally. For example:

... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-24-2010 08:38 PM

You can use the fact that a subsearch will render the "query" field literally. For example:

... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎12-13-2016 05:58 PM

Looks like sometimes it adds excess decoration though.. at least with use cases that would be useful like | rest splunk_server=local /servicesNS/-/[| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1]/data/models. But with some (slightly silly) workarounds it can help! | makeresults | eval test="/servicesNS/-/" + [| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1] + "/data/models" | map search="| rest splunk_server=local $test$"

0 Karma
Reply
Solved! Jump to solution

carasso
Splunk Employee
Splunk Employee
‎10-18-2012 02:02 PM

shorter:

   ... | eval ResponseSize = eventcount * [search ... | return $size]
0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-30-2010 11:21 PM

Subsearches behave like backticks in Unix. Anywhere that they're not treated specially (set, append, join) their result is just rendered as a string and inserted into the search.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎09-30-2010 07:34 PM

Wow. So where all do subsearches work? I thought they only worked in the base search and with special search commands ( like set, append, join, ...) Is this documented somewhere?

0 Karma
Reply
Solved! Jump to solution

htkhtk
Path Finder
‎09-24-2010 08:54 PM

Thanks! i appreciate the fast response!

0 Karma
Reply
Solved! Jump to solution

carolinel
Loves-to-Learn
‎03-07-2020 11:50 AM

| eval Result=number * [search ... | stats avg(dataset) ]
yields this error message: "Error in 'eval' command: Type checking failed. '*' only takes numbers."

The sub search run on its own results in a single number. That number could possibly considered a string, but if I try to convert it to a number with tonumber([search...]) then I get another error message: "Error in 'eval' command: The arguments to the 'tonumber' function are invalid."

If I try this: | eval SubSearchResult=[search ... | stats avg(dataset) ]
I get this error message: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

I need to be able to assign the result of a sub search to a variable to be used in calculation with data from the base search. How can I do this?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-07-2020 12:29 PM

hi @carolinel

|makeresults
| eval test=[|makeresults|eval t=1|return $t]

try this.
To substitute the result of subsearch, it should usereturn
this time, subsearch result is number, no need doble quotes.
If subsearch result is string, it should cover by double quote and return

By the way, |eventstats avg(dataset) as Result
Isn't this enough?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...