topic Re: How to assign a string value from a subsearch to a eval which should map to all the events? in Splunk Search

How to assign a string value from a subsearch to a eval which should map to all the events?

sudeshna_dash — Thu, 14 Dec 2017 10:19:29 GMT

I am trying to extract a value and add it to every events of that sourcetype.

source="c:\\splunk monitors\\log(2).txt"  | eval ServiceTag = [search source="c:\\splunk monitors\\log(2).txt" | head 1 |  rex field=_raw "^[^\[\n]*\[(?P<SvcTag>[^\]]+)" | eval tag = SvcTag | return $tag ]

Here $tag returns 5Q4RZH2 which is a string and thus, it is not able to get stored in ServiceTag variable of eval.
If the tag would have returned some number such as "123" then it is able to store the same.
E.g.

    source="c:\\splunk monitors\\log(2).txt"  | eval ServiceTag = [search source="c:\\splunk monitors\\log(2).txt" | head 1 |  rex field=_raw "^[^\[\n]*\[(?P<SvcTag>[^\]]+)" | eval tag = "123"| return $tag ]

In this scenario, ServiceTag has the value 123
Hence, it is getting difficult to store a string.

Can someone please solve?

Re: How to assign a string value from a subsearch to a eval which should map to all the events?

mayurr98 — Thu, 14 Dec 2017 10:31:26 GMT

Try

source="c:\\splunk monitors\\log(2).txt"  | eval ServiceTag =case( [search source="c:\\splunk monitors\\log(2).txt" | head 1 |  rex field=_raw "^[^\[\n]*\[(?P<SvcTag>[^\]]+)" | eval tag = SvcTag | return 10000 tag ],tag)

Let me know if this helps!

Re: How to assign a string value from a subsearch to a eval which should map to all the events?

sudeshna_dash — Thu, 14 Dec 2017 10:41:15 GMT

Thanks @mayurr98 but this doesn't solve the problem

Re: How to assign a string value from a subsearch to a eval which should map to all the events?

HiroshiSatoh — Thu, 14 Dec 2017 11:10:55 GMT

Try this!

| eval tag = SvcTag | return $tag ]
↓
| eval tag = "\""+SvcTag+"\"" | return $tag ]

Re: How to assign a string value from a subsearch to a eval which should map to all the events?

niketn — Thu, 14 Dec 2017 11:24:33 GMT

@sudeshna_dash, are you doing it in a dashboard? Can you add some sample data and post the example above using code button?

Re: How to assign a string value from a subsearch to a eval which should map to all the events?

sudeshna_dash — Fri, 15 Dec 2017 14:38:29 GMT

Thanks a lot @HiroshiSatoh, this worked. I am grateful to u