Solved: Re: How to pass the values of an evaluated field i...

rcorfield · ‎07-11-2018

Hi

I am trying to adjust an existing process which collects results of a query into a summary index. What I'm trying to do is add a new evaluated field and pass it into the summary index. I've been looking at the 'marker' option to 'collect', but that passes a string directly rather than the value of the field. Is there any way to pass the value of the field?

This is roughly what I'm trying:

index=<index> <query>
   | eval score1 = if(<subquery1>, 1, 0)
   | eval score2 = if(<subquery2>, 1, 0)
   | eval score_total = score1 + score2
| collect index=<summary_index> marker="score_total=score_total"

I was naively hoping that the 'score_total' field in the summary index (which now exists) would hold the evaluated numeric value, but unfortunately (for me) it contains the string 'score_total'.

Is there any way to achieve what I'm trying to do here? Or some alternative?

Thanks in advance.

Richard

rcorfield · ‎07-12-2018

In the end I was able to solve my problem with the help of a similar question that had been asked previously:
https://answers.splunk.com/answers/224003/why-am-i-not-able-to-get-any-dynamic-content-using.html

I added the content I needed to the _raw field and this was then available as a field in the summary index:

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval score_total = score1 + score2
    | eval _raw=_raw.", score_total=".score_total
 | collect index=<summary_index>

View solution in original post

rcorfield · ‎07-12-2018

In the end I was able to solve my problem with the help of a similar question that had been asked previously:
https://answers.splunk.com/answers/224003/why-am-i-not-able-to-get-any-dynamic-content-using.html

I added the content I needed to the _raw field and this was then available as a field in the summary index:

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval score_total = score1 + score2
    | eval _raw=_raw.", score_total=".score_total
 | collect index=<summary_index>

richgalloway · ‎07-12-2018

@rcorfield If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

woodcock · ‎07-11-2018

Why not just this?

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval marker = "score_total=" . score1 + score2
 | collect index=<summary_index>

rcorfield · ‎07-12-2018

Thanks, but unfortunately I still couldn't see score_total in the summary index using this suggestion.

DalJeanis · ‎07-11-2018

Try concatenating. See if one of these matches your needs:

 | collect index=<summary_index> marker=tostring("score_total=".score_total)

OR

 | eval score_total="score_total=".score_total)
 | collect index=<summary_index> marker=score_total

rcorfield · ‎07-12-2018

Thanks for your suggestions, but unfortunately it still wouldn't populate it with the value of the field, so instead I ended up with things like

marker="score_total".score_total

I solved it by appending my field to the _raw field in the end.

How to pass the values of an evaluated field into a summary index with collect?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk