topic Re: not editable fields in Splunk Search

not editable fields

sfatnass — Fri, 12 Jun 2015 10:29:51 GMT

hi everybody,

i'm try to conserve content field value but i don't understand how i can.

in my search :
index=A OR index=B
initial : field1 is here
<here i'm using filtering with regex and dbquery>
after that i get filtered (field1) = field2
but if i want to reuse the initial value of field1 i should to use join or append [index=A OR index=B field1]
how can i reuse the initial field1 without join or append.

ps : i tryed to use eval newfield=field1 but it don't work the newfield does not remain as it is
i'm thinking about kvstore but if i can use a special commands it will be great
thx

Re: not editable fields

stephanefotso — Fri, 12 Jun 2015 10:49:58 GMT

Hello! The only way to use the initial value of field1 it is to use the eval or a subsearch.
And if you use eval, do something like this: |eval newfield=field1, and not |aval field1=newfield, because it will change the initial value of field1.

Thanks

Re: not editable fields

sfatnass — Fri, 12 Jun 2015 10:56:07 GMT

i use |eval newfield=field1 but newifield change where is aval ????

Re: not editable fields

stephanefotso — Fri, 12 Jun 2015 11:05:41 GMT

I do not know if I've understood very well your problem. field1 is not the field you want to reuse? Because |eval newfield=field1 will not change de value of field1, But the value of newfield will be the value of field1.

Re: not editable fields

sfatnass — Fri, 12 Jun 2015 12:43:46 GMT

but i want to conserve the integral values in my new fields

Re: not editable fields

stephanefotso — Fri, 12 Jun 2015 14:18:32 GMT

That is what you have to know. If you want to reuse the initial value of a field in your search query, do not assign to that field a value, before the use of the field. For example:
Let suppose that you have a field named field1, and that, initially field1=10.
Then in your search query, if you do something like this: ...|eval field1=50|eval field2=field1+5|table field1 field2
result:

field1 field2
50 55

As you can see, the initial value of field1 has change, and that is why field2=55.

But if you do like this: ...|eval field2=field1|eval field3=field1+5|table field1 field2 field3
result:
field1 field2 field3
10 10 15
Here the initial value of field1 did not change, and t that is why you have field3=15

Thanks

Re: not editable fields

sfatnass — Tue, 30 Jun 2015 07:31:23 GMT

i just want to reuse a field as it was before being filtered

Re: not editable fields

chimell — Tue, 30 Jun 2015 08:37:43 GMT

Hi sfatnass

Retry with multisearch command which Run multiple searches at the same time.
See it syntax

| multisearch <subsearch1> <subsearch2> <subsearch3> ...

For you case try to use

|multisearch [search index=A OR index=B |eval field1=field2][search index=A OR index=B |fields field1]............

Tell if it works like you want

Re: not editable fields

sfatnass — Tue, 30 Jun 2015 08:42:57 GMT

chimell the index A can't match with index B

for index A i have a field and i try to get a newfield like
|eval newfieldA=fieldA

the fieldA will be filtered by many dbquery
but i want to reuse newfieldA like it was before filtering.

Re: not editable fields

chimell — Tue, 30 Jun 2015 09:25:30 GMT

Can you show me your search code ?
field1 below to which index ?

Re: not editable fields

sfatnass — Tue, 30 Jun 2015 09:29:50 GMT

oh sorry i can't show you my code it's not public values

Re: not editable fields

DavidHourani — Tue, 30 Jun 2015 09:35:58 GMT

Could you please post the regex you are using ? are you applying the regex on the raw data ? because if thats the case even if you recreate the field it would still get modified.. make sure you apply it on the specific field.

Re: not editable fields

chimell — Tue, 30 Jun 2015 10:05:22 GMT

Ok without problem but see my new answer above