topic Re: Assign result of a subsearch to a token in an <eval> dashboard XML tag in Splunk Search

Assign result of a subsearch to a token in an dashboard XML tag

DanK — Mon, 14 Sep 2020 23:47:04 GMT

It's possible to assign the result of a subsearch to a field with the eval command as can be seen in the following snippet:

| makeresults | eval blahblah = [ | makeresults | eval search="\"blah\"" ]

How can I accomplish this in an <eval> dashboard XML tag?

I've tried the below in the dashboard XML source but the result is just '$blahblah$' instead of 'blah', as if the `blahblah` token is not defined:

<eval token="blahblah"> [ | makeresults | eval search="\"blah\"" ] </eval>  <eval token="blahblah"> [ | makeresults | eval myOutput = "\"blah\"" | return $myOutput ] </eval>  <panel> <title>DEBUG</title> <html> <pre> blahblah = '$blahblah$' </pre> </html> </panel>

In the documentation about <eval> and its limitations, subsearches are not listed in the list of limitations and unsupported functionality, so this should be possible.

Re: Assign result of a subsearch to a token in an dashboard XML tag

richgalloway — Tue, 15 Sep 2020 00:52:23 GMT

Why are you using a subsearch by itself? Use a search. Not that it really matters since you can't use a search (or subsearch) query in an eval. The eval element requires an eval expression such as "\"blah\"'.

Re: Assign result of a subsearch to a token in an dashboard XML tag

DanK — Tue, 15 Sep 2020 03:14:45 GMT

According to the documentation which I linked in my original post, the <eval> tag's contents behave the same as the eval SPL command with a small list of differences. This list of differences does not include the inability to use subsearches.

If you click the link I included, it brings you right to the section which mentions this but I've nevertheless pasted it below for your convenience.

If the documentation is not true, it should be updated.

---

The dashboard eval expression has the same syntax and semantics as the eval expression syntax for SPL queries. Most of the same eval expression functionality is the same between the dashboard eval expression and the SPL version of eval. However, there are some important exceptions.

Unavailable dashboard eval expression functions

commands(X)
searchmatch(X)
exact(X)
Cryptographic hash functions:

*md5(X) *sha1(X) *sha256(X) *sha512(X) *sigfig(X) *spath(X,"Y")

eval expression functions with different behavior for dashboards

relative_time(X,Y): Uses client time zone.
strftime(X,Y): Uses client time zone.
strptime(X,Y): Uses client time zone.

It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript.

To learn more about eval expression functions, see eval in Search Reference.