Solved: Re: eval'd value: Why is the 'search' command not ...

mfrost8 · ‎07-17-2018

I'm trying to use a search that looks like

index=<index> sourcetype=<sourcetype>
| eval site=<site>
| lookup host_and_site_coords site OUTPUT host AS siteHost 
| search host=siteHost

That first 'eval' for 'site' is there because it's passed in as a token, but in the normal search it's not necessary. Just needed for troubleshooting this.

My problem is that everything works as expected up to the final 'search' command. That is, the lookup works and creates siteHost as I'd expect. The search command doesn't seem to get the value, however, result in what seems like ' search host="" '.

I know that with subsearches you can't pass in an eval'd value, but I didn't think that applied here.

Or maybe I'm missing something really obvious...

Thanks

somesoni2 · ‎07-17-2018

If all you're doing is filter result based on hosts for a site, try this subsearch filter.

index=<index> sourcetype=<sourcetype> [ | inputlookup host_and_site_coords | table site host | where site="<site value from token>" | table host ]

View solution in original post

somesoni2 · ‎07-17-2018

If all you're doing is filter result based on hosts for a site, try this subsearch filter.

index=<index> sourcetype=<sourcetype> [ | inputlookup host_and_site_coords | table site host | where site="<site value from token>" | table host ]

mfrost8 · ‎07-17-2018

That did it. Thanks very much, somesoni2.

This one falls into another "why didn't I think of that?" category for me. 🙂

eval'd value: Why is the 'search' command not able to get the value?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases