topic Re: Use result of eval to search in the same query in Splunk Search

Use result of eval to search in the same query

splunkmasterfle — Mon, 21 Jul 2014 19:57:16 GMT

Hi,

Is this command not valid.

index=batch | eval newField = lower(strftime(strptime("2014-oct" + "01","%Y-%b%d"),"regular"+"%b%y")) | search newField

This command never returns any values. I have checked the basics. Just wondering if eval does not work this way. Thanks

Re: Use result of eval to search in the same query

somesoni2 — Mon, 21 Jul 2014 20:11:10 GMT

This syntax does work fine. (Try below runanywhere sample)

|gentimes start=-1 |  eval newField = lower(strftime(strptime("2014-oct" + "01","%Y-%b%d"),"regular"+"%b%y")) | table newField

I guess the problem is with "search newField". This is like searching for string 'newField' in raw events and raw events doesn't have this field so no rows are returned. You should change this to "search newField=*" OR "where isnotnull(newField)"

Re: Use result of eval to search in the same query

aweitzman — Mon, 21 Jul 2014 20:29:59 GMT

I think maybe the OP needs a subsearch-type syntax, because it looks like they are searching for the resulting value of the eval expression. So something like:

index=batch [| gentimes start=-1 | eval newField=... | table newField]

That should translate the subsearch expression into (newField=<value of eval expression>) and apply that to index=batch, which I think is what is being asked for here.

Re: Use result of eval to search in the same query

splunkmasterfle — Mon, 21 Jul 2014 21:01:02 GMT

I manage to make this work when I have a hard coded value in the strptime function. However it does not work when I try and do the following :

index=batch AND [ search index=batch | eval partName=lower(strftime(strptime($cn$+"01","%Y-%b%d"),"regular"+"%b%y")) | table partName]

$cn$ being the value sent from another dashboard. The dashboard hangs on "Waiting for Input"

Re: Use result of eval to search in the same query

aweitzman — Mon, 21 Jul 2014 21:10:39 GMT

Does putting quotes around it help?

...(strptime("$cn$"+"01",...

Re: Use result of eval to search in the same query

splunkmasterfle — Tue, 22 Jul 2014 13:56:20 GMT

Doesn't seem to change anything, no 😞

Re: Use result of eval to search in the same query

somesoni2 — Tue, 22 Jul 2014 14:21:07 GMT

Did you verify if the token $cn$ is receiving values? Also, if your panels have autoRun=true or you have a Submit button? The message 'Waiting for input' does suggest that the tokens are not resolved.

Re: Use result of eval to search in the same query

splunkmasterfle — Tue, 22 Jul 2014 14:52:59 GMT

I know the token is received in my dashboard because it is visible via http GET (?form.cn=2015-Feb). I do not have a submitButton, however I do have a input dropdown that has searchWhenChanged=true. Is it maybe the fact that I use the token within a for my chart?

Re: Use result of eval to search in the same query

somesoni2 — Tue, 22 Jul 2014 15:08:41 GMT

Does the query works if you change the value in the input dropdown? Also, can you try by adding autoRun=True in the

Re: Use result of eval to search in the same query

splunkmasterfle — Wed, 23 Jul 2014 13:53:40 GMT

So I figured it out. I didn't have the token linked to a fieldset element!

Re: Use result of eval to search in the same query

splunkmasterfle — Wed, 23 Jul 2014 14:00:10 GMT

The answer provided by aweitzman worked perfectly:

index=batch [| gentimes start=-1 | eval newField=... | table newField]

(If you want to post the answer I can mark it as solved)

Re: Use result of eval to search in the same query

aweitzman — Wed, 23 Jul 2014 14:19:00 GMT

Just made it an answer.