I have a variable $var$, and want to display it a search result..
Whe I make
eval varSearch="test" | table varSearch
There are "no events found" how can I do that ?
Same problem when having a variable from upstream $var$ how can I use common eval function on that, and display it ?
side view provided an answer there
http://splunk-base.splunk.com/answers/83344/conditional-eval-resultsvaluesetter
In fact to add a row without results, we need a workaround by using a count, and hiding the field as :
| stats count | fields - count | eval
side view provided an answer there
http://splunk-base.splunk.com/answers/83344/conditional-eval-resultsvaluesetter
In fact to add a row without results, we need a workaround by using a count, and hiding the field as :
| stats count | fields - count | eval
Does this is also supposed to work with a big xml $foo$ value ? I have a 1.3MB xml, I see it it Runtime debug, but I'm not pass it to the results, is it because of the quotes ?
I've tried with $foo$ and $foo.rawValue$...
if there is any "test" in event then its comes in table in variable varSearch
-Kamal Bisht
I have no event at all, I want to affect a value to a new field, and see it as result ... Is that possible ?