https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391364#M171071 <P>I'm trying to eval value from subsearch<BR /> ex searching specific data collecting them to multivalue field and pass to variable than search.<BR /> Do splunk have variables something like global variables </P> Sat, 25 May 2019 20:47:24 GMT borisk95 2019-05-25T20:47:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391362#M171069 <P>I want to |search sourcetype=syslog | eval DATA=[search tratata | eval ip=somedata | return $ip] | search DATA<BR /> Example of ip ( 127.0.0.1 , (answer=127.0.0.1))<BR /> I get an error The number 127.0.0.1 is not valid.<BR /> Trying to use | eval ip=tostring(ip) | return $ip do not help</P> Sat, 25 May 2019 15:27:50 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391362#M171069 borisk95 2019-05-25T15:27:50Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391363#M171070 <P>Please describe the problem you are trying to solve. There may be a better way to do it.</P> Sat, 25 May 2019 20:43:27 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391363#M171070 richgalloway 2019-05-25T20:43:27Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391364#M171071 <P>I'm trying to eval value from subsearch<BR /> ex searching specific data collecting them to multivalue field and pass to variable than search.<BR /> Do splunk have variables something like global variables </P> Sat, 25 May 2019 20:47:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391364#M171071 borisk95 2019-05-25T20:47:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391365#M171072 <P>First run the subsearch by itself to verify you get the expected results.</P> <PRE><CODE>search tratata | eval ip=somedata | return $ip </CODE></PRE> <P>You may have better luck with</P> <PRE><CODE>search tratata | eval ip=somedata | fields ip | format </CODE></PRE> <P>Modify the search as needed to get the desired output. Once you have the output as you like it, put the query together.</P> <PRE><CODE>sourcetype=syslog | eval DATA=[search tratata | eval ip=somedata | fields ip | format] | search DATA </CODE></PRE> <P>Or perhaps</P> <PRE><CODE>sourcetype=syslog [search tratata | eval ip=somedata | fields ip | format] </CODE></PRE> Sat, 25 May 2019 22:58:14 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391365#M171072 richgalloway 2019-05-25T22:58:14Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391366#M171073 <P>Hi @borisk95,</P> <P>You can run the following search for the same results if you're trying to filter on the DATA field :</P> <PRE><CODE> |search sourcetype=syslog [search tratata | eval ip=somedata|rename ip AS DATA | return $DATA] </CODE></PRE> <P>Cheers,<BR /> David</P> Sun, 26 May 2019 07:31:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391366#M171073 DavidHourani 2019-05-26T07:31:53Z https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391367#M171074 <P>The reason is to search some value, eval this as a value or combined multivalie and search eval field=1 as | search 1</P> Sun, 26 May 2019 12:30:32 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-help/m-p/391367#M171074 borisk95 2019-05-26T12:30:32Z