https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189888#M54682 <P>This works! My final version was <CODE>replace(tostring("".tostring($subid$, "hex").""),"x","")</CODE> where I replace the 0x with just 0 as I need 8 digits with a 0-pad in front.</P> Fri, 23 Jan 2015 01:01:23 GMT RMartinezDTV 2015-01-23T01:01:23Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189885#M54679 <P>Hi, I'm trying to run a search for recent transactions based on a user ID. I need to convert the user ID to hex before I can use it as the event field contain the ID in hex. The idea here is to use a dashboard with a form input field for the decimal user ID.</P> <P>This is what I was thinking:</P> <PRE><CODE>| eval userid_hex=tonumber("",16) | search index=xx sourcetype=xx userID=userid_hex | transaction maxevents=2 transactionID </CODE></PRE> <P>which gives me no events returned. I've rearranged the location of the eval and get the same results.</P> <P>Obviously this works:</P> <PRE><CODE>index=xx sourcetype=xx | eval userid_hex=tonumber("",16) | search userID=userid_hex | transaction maxevents=2 transactionID </CODE></PRE> <P>but it pull all events in the timewindow before filtering on userID. For 24 hours, I have approximately 3 million events so this is very inefficient.</P> <P>Is there a way to do evals before the initial search? Or am I missing some alternative method?</P> Thu, 22 Jan 2015 17:43:28 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189885#M54679 RMartinezDTV 2015-01-22T17:43:28Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189886#M54680 <P>You'll need an eval-based macro for that. And tonumber() is not the right function, you'll need tostring(). </P> <OL> <LI>Create a Macro that has the eval-based definition checked (in Advanced Search | Macros)</LI> <LI>Call it in your search before the first pipe</LI> </OL> <P>Macro Name: <CODE>toHex(1)</CODE><BR /> Macro Definition: <CODE>tostring("\"".tostring($idDecimal$, "hex")."\"")</CODE></P> <P>Usage: index=xx sourcetype=xx `toHex(22)`</P> <P>In your form obviously you'd need to substitue 22 above with the userId token. </P> Thu, 22 Jan 2015 18:18:11 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189886#M54680 _d_ 2015-01-22T18:18:11Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189887#M54681 <P>You could do this with a simple subsearch (remember, subsearches get executed first):</P> <PRE><CODE>index=xx sourcetype=xx [|gentimes start=-1 | eval userID=tostring(yournumbergoeshere,"hex") | fields userID] </CODE></PRE> Thu, 22 Jan 2015 18:26:21 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189887#M54681 aweitzman 2015-01-22T18:26:21Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189888#M54682 <P>This works! My final version was <CODE>replace(tostring("".tostring($subid$, "hex").""),"x","")</CODE> where I replace the 0x with just 0 as I need 8 digits with a 0-pad in front.</P> Fri, 23 Jan 2015 01:01:23 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-eval-before-the-initial-event-search/m-p/189888#M54682 RMartinezDTV 2015-01-23T01:01:23Z