Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter the results based on the evaluated field?

amerineni
Loves-to-Learn
‎11-02-2022 02:31 PM

I'm trying the below query,

index=XXXXXXXXX   | eval space="cf_space_name=production" | search "space"  YYYYYYYYYYYY | stats count

===================================================================

I want to filter the results based on the evaluated field.

| search "space"    XXXXXXXXXXXXX    => is not returning correct values

|  search "cf_space_name=production"    XXXXXXXXXXXXX    =>  but If I use the value like this its working.

how to fix this? Thanks for the help.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-02-2022 10:22 PM

Like @richgalloway mentioned, the value in 'space' is not substituted as part of command in | search.  Can you explain why it is even necessary to use that syntax if  | search "cf_space_name=production" YYYYYYYYYYY already works?  Maybe you are thinking of a token in dashboard?

(As a side, | search "cf_space_name=production" YYYYYYYYYYY  is semantically different from | search cf_space_name=production YYYYYYYYYYY.  You want to consider what exactly is intended.)

0 Karma
Reply

amerineni
Loves-to-Learn
‎11-03-2022 01:40 PM

I have two inputs in the dashboard and I need to evaluate filed name and value to compare dynamically based on those inputs and filter events based on that.  That is what I'm tryign to do.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-03-2022 11:08 PM

I still don't see how "cf_space_name=production" is a dynamic input.  In this form, it is just a static string.  Can you explain?  Maybe you can illustrate with data (anonymize as necessary)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 01:55 PM

I hoping this was in a dashboard.  If you have an input called "space" that holds a cf_space_name value then you can reference that token in the SPL.

index=XXXXXXXXX cf_space_name=$space$ YYYYYYYYYYYY 
| stats count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2022 05:12 PM

The search command treats "space" with or without quotation marks as a literal string rather than a field name. 

The eval command assigns a value to a field, creating the field if necessary.  It does not define variables that can be used in arbitrary places.

To search for specific text in an event, put that text in a search command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...