topic Re: send parameter to eval with return search in Splunk Search

send parameter to eval with return search

jrodriguezap — Fri, 05 Sep 2014 14:39:32 GMT

Hi
You can send a parameter from the main search to return search?
I need to put a condition to return value, something like this:

index=main field_MAIN=* 
| eval test=if(isNull(fieldA),[search index=other_index field_SUB=* | where field_SUB=field_MAIN | head 1 | return $fieldA],fieldA)

Note the where field_SUB=field_MAIN

is it possible?
Or some other way to get it?
Thanks!!

Re: send parameter to eval with return search

lguinn2 — Sun, 07 Sep 2014 02:19:37 GMT

Not the way you are doing it. You can return data from a subsearch, either as a single value, a field-value pair, or set of field-value pairs. That't not the problem.

What you can't do is to pass data from the main search to the subsearch. where field_SUB=field_MAIN is not legal. Splunk executes the subsearch first, so there is no data from the main search to pass.

If you want to combine data from two searches in that way, you will need to use another technique. For the example you have given, it appears that you are trying to lookup a value for fieldA from index=other_index. For that, I would use a lookup instead of a second index.

More information about what you are trying to do would probably be helpful.

Re: send parameter to eval with return search

jrodriguezap — Mon, 28 Sep 2020 17:30:42 GMT

Hello Iguiin
Thanks, look, I have logs like these:

  session_id             src_email                dst_email
f2-5407ee2265d2 alexcolquehuanca@hotmail.com   jperez@unicon.com
f2-54asds326sf3 asistecnica@assesores.com      jose.tejadaz@unicon.com
f2-54ds345asf32                                secretary@unicon.com
f2-5407easass22 josevasquez@gmail.com          jose.tejadaz@unicon.com
f2-54ds345asf32 alemontorya@verifica.com

You see, there are some who lack the src_email field, then I try to fill it doing that search return, associating with the session_id field.
I tried to "transaction" masspan = 1d, but in reality, the waiting time to run is very high

host=172.16.1.21 | eval dst_email=if(isNull(src_email),[search host=172.16.1.21 src_email=* earliest=-1d latest=now | where session_id=session_idMAIN | head 1| return $src_email],src_email)
| table session_id,src_email,dst_email

Re: send parameter to eval with return search

jrodriguezap — Mon, 08 Sep 2014 16:45:01 GMT

Hello
You think that is possible? or is there any other way?

Re: send parameter to eval with return search

lguinn2 — Mon, 08 Sep 2014 23:26:46 GMT

This will work for the example you have given - and be much faster

host=172.16.1.21 
| stats values(src_email) as src_email values(dst_email) as dst_email by session_id