How to properly evaluate integer list from inputlo...

oneillryan93 · ‎11-16-2017

I'm attempting to use a subsearch to extract a number of integers in order to transpose those integers as columns. Here is the code for the subsearch:

The search run by itself returns something like "123 124 125 126 127...", so I'm confused why when I run it as a subsearch it returns:

"Error in 'eval' command: The expression is malformed."

I've tried following some similar examples I've seen here, but I can't seem to find anything that works for me.
Thanks.

somesoni2 · ‎11-16-2017

The return command, by default, returns only the single value from first row of specified field (as string). The field 'str' in your subsearch is a multivalued field and thus causes issue in eval. Assuming you want to return list of all 15 'tests' values in a space-delimited string and save it to field 'thing', try something like this

...|eval thing=[| inputlookup lookup.csv | stats values(tests) by tests | sort 15 -tests | stats values(tests) as str | nomv str | eval str="\"".str."\"" | return $str]

The nomv command changes 'str' to a single valued field and next eval will add double qoutes around values as it'll be a space delimited string.

How to properly evaluate integer list from inputlookup subsearch?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk