topic Re: How to return a single value from a subsearch into eval in Splunk Search

How to return a single value from a subsearch into eval

Sloefke — Tue, 02 Jun 2015 08:17:56 GMT

Hi,

I'm trying to calculate a value through some lookup statements and then put that value into a variable using eval. I've been googling and reading documentation for a while now and "return" seems the way to go, but I can't get it to work.

Basically what I want to do is:

somesearch | eval somevar=[ subsearch | lookup | return $lookupresult ]

But whatever I try, I never get the "somevar" field in my resulting events.

I tried boiling it down to a very simple dummy query to test this, but even this does not return any "aatest" field in the resulting event:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

As I understand it, this should just return the "aatest" field with value "test" in the 1 resulting event, no?

Thanks!

Re: How to return a single value from a subsearch into eval

stephanefotso — Tue, 02 Jun 2015 09:15:42 GMT

surprising! I think it should work. Here s an example which is working perfectly

index=_internal |eval aaa=[search index=_internal sourcetype="splunkd"|head 1|eval c2="45555"|return $c2]

index=_internal |eval aaa= 1 + [search index=_internal sourcetype="splunkd"|stats count as c1|return $c1]|table aaa

Re: How to return a single value from a subsearch into eval

Sloefke — Tue, 02 Jun 2015 09:23:31 GMT

Your 2 tests worked for me as well, so I started looking a bit. Seems the only difference is the value of the returned variable, where you use an integer and I use a string. And indeed, this does work:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="123" | return $ip ]

while this still doesn't:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

What the? return should be able to return strings, no? 😕

Edit: my guess is that the return search does return a string, but it can't be mapped into the "aatest" variable without quotes? Now to try to fix that ...

Re: How to return a single value from a subsearch into eval

stephanefotso — Tue, 02 Jun 2015 10:47:45 GMT

hum! That's a really problem! i'm troubleshooting the issue.

Re: How to return a single value from a subsearch into eval

Sloefke — Wed, 03 Jun 2015 08:36:19 GMT

I've been searching some more as well, but I can't find a way to 'convert' the subsearch to something eval would recognize as a string 😕

Re: How to return a single value from a subsearch into eval

Sloefke — Wed, 03 Jun 2015 13:30:30 GMT

Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]

Re: How to return a single value from a subsearch into eval

evelenke — Fri, 24 Jan 2020 15:25:11 GMT

Another hint ... | return $ip | format ]

Re: How to return a single value from a subsearch into eval

mhergh — Tue, 26 Apr 2022 10:20:48 GMT

weird, the solution didn't worked out for me; it returned the string "ip" instead of the expected ip field value.

But this slightly adapted variant worked for me:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"" + test + "\"" | return $ip ]

Re: How to return a single value from a subsearch into eval

isoutamo — Wed, 20 Mar 2024 12:39:33 GMT

this is the way if you want to return value of some field from inner search. It seems that it excepting those " marks outside of value.

r. Ismo