cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
rcorfield
Explorer
Member since: ‎08-23-2017
‎06-05-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 4
Karma Received 0
Member Since ‎08-23-2017
Activity Feed
View All

Re: How to pass the values of an evaluated field i...

by in Knowledge Management
‎07-12-2018 03:50 AM
‎07-12-2018 03:50 AM
Thanks for your suggestions, but unfortunately it still wouldn't populate it with the value of the field, so instead I ended up with things like marker="score_total".score_total I solved it by appending my field to the _raw field in the end. ... View more

Re: How to pass the values of an evaluated field i...

by in Knowledge Management
‎07-12-2018 03:47 AM
‎07-12-2018 03:47 AM
Thanks, but unfortunately I still couldn't see score_total in the summary index using this suggestion. ... View more

Re: How to pass the values of an evaluated field i...

by in Knowledge Management
‎07-12-2018 03:46 AM
‎07-12-2018 03:46 AM
In the end I was able to solve my problem with the help of a similar question that had been asked previously: https://answers.splunk.com/answers/224003/why-am-i-not-able-to-get-any-dynamic-content-using.html I added the content I needed to the _raw field and this was then available as a field in the summary index: index=<index> <query> | eval score1 = if(<subquery1>, 1, 0) | eval score2 = if(<subquery2>, 1, 0) | eval score_total = score1 + score2 | eval _raw=_raw.", score_total=".score_total | collect index=<summary_index> ... View more

How to pass the values of an evaluated field into ...

by in Knowledge Management
‎07-11-2018 08:45 AM
‎07-11-2018 08:45 AM
Hi I am trying to adjust an existing process which collects results of a query into a summary index. What I'm trying to do is add a new evaluated field and pass it into the summary index. I've been looking at the 'marker' option to 'collect', but that passes a string directly rather than the value of the field. Is there any way to pass the value of the field? This is roughly what I'm trying: index=<index> <query> | eval score1 = if(<subquery1>, 1, 0) | eval score2 = if(<subquery2>, 1, 0) | eval score_total = score1 + score2 | collect index=<summary_index> marker="score_total=score_total" I was naively hoping that the 'score_total' field in the summary index (which now exists) would hold the evaluated numeric value, but unfortunately (for me) it contains the string 'score_total'. Is there any way to achieve what I'm trying to do here? Or some alternative? Thanks in advance. Richard ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to