https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600756#M209109 <P>what if i use "where" command to set the source. does it impact the performance?</P><P>Example using #2 instead of #1</P><P>1. index=main sourcetype="access_combined" source="app1"</P><P>2. index=main sourcetype="access_combined" | where match(source,"app1")</P><P>&nbsp;</P> Mon, 06 Jun 2022 20:05:34 GMT biju_babu 2022-06-06T20:05:34Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600627#M209076 <P>Could you please let me know how to use an evaluated field in search command</P> <P>index=main sourcetype="access_combined"</P> <P>| eval field1="search-val1|search-val2"</P> <P>| eval searchval=mvindex(split(field1,"|"),1)</P> <P><STRONG>| search "*search-val2*"</STRONG></P> <P>I am trying to create a dashboard with one of the search as above. I&nbsp;get the field1 value from dropdown list in dashboard. Something like&nbsp;</P> <P>| eval field1 = $searchkey$</P> <P>The above works with the static value in search command but I am trying to use searchval field in search command like</P> <P><STRONG>| search 'searchval'</STRONG></P> <P>Can someone help?&nbsp;Thanks for the help.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 06 Jun 2022 03:51:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600627#M209076 biju_babu 2022-06-06T03:51:49Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600634#M209078 <P>Try something like this</P><LI-CODE lang="markup">| search [| makeresults | fields - _time | eval field1 = $searchval$]</LI-CODE> Sun, 05 Jun 2022 19:24:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600634#M209078 ITWhisperer 2022-06-05T19:24:19Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600635#M209079 <P>sorry - that is not working.</P><P>Basically, I need to execute command like this</P><P><SPAN>index=main sourcetype="access_combined" "<STRONG>*search-val2*</STRONG>"</SPAN></P><P><SPAN>where "search-val2" get evaluate from pipe(|) separated&nbsp;string</SPAN></P><P>&nbsp;</P> Sun, 05 Jun 2022 20:14:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600635#M209079 biju_babu 2022-06-05T20:14:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600647#M209083 <P>Is there any reason why "search" is the only choice command? &nbsp;Why not use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where" target="_blank" rel="noopener">where</A>? &nbsp;For example,</P><LI-CODE lang="markup">| where match(_raw, searchval)</LI-CODE><P>&nbsp;</P> Mon, 06 Jun 2022 05:52:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600647#M209083 yuanliu 2022-06-06T05:52:42Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600654#M209084 <P>Do the separation in the makeresults subsearch</P><LI-CODE lang="markup">| search [| makeresults | fields - _time | eval field1 = $searchval$ | eval query=mvindex(split(field1,"|"),1) | fields query]</LI-CODE> Mon, 06 Jun 2022 06:40:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600654#M209084 ITWhisperer 2022-06-06T06:40:16Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600756#M209109 <P>what if i use "where" command to set the source. does it impact the performance?</P><P>Example using #2 instead of #1</P><P>1. index=main sourcetype="access_combined" source="app1"</P><P>2. index=main sourcetype="access_combined" | where match(source,"app1")</P><P>&nbsp;</P> Mon, 06 Jun 2022 20:05:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600756#M209109 biju_babu 2022-06-06T20:05:34Z https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600775#M209116 <P>This will affect performance mainly because the first search in #2 will return more events than that in #1.</P><P>As a side, if source is precisely "app1", do not use match(). &nbsp;Just say | where source=="app1". &nbsp;A callout to a function adds to memory and compute; and match() is a regex function, adds even more compute.</P> Tue, 07 Jun 2022 04:47:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-an-evaluated-field-in-search-command/m-p/600775#M209116 yuanliu 2022-06-07T04:47:50Z