https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204375#M59361 <P>You should click "Accept" to close out the question.</P> Sat, 24 Oct 2015 14:56:41 GMT woodcock 2015-10-24T14:56:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204372#M59358 <P>I've got a query that will have a string passed into it. In this case, it's "2-Low". I need to parse out the number and match that to rows with a field called 'score' containing the same value.</P> <P>Strangely enough, this query isn't returning results (there is definitely matching data):</P> <PRE><CODE>index=someindex | parser | eval ar = split("2-Low","-") | eval tl = mvindex(ar, 0) | search score = tl </CODE></PRE> <P>As a sanity check, if I try this to make sure the string manipulation worked, I get the number "2" as expected.</P> <PRE><CODE>index=someindex | parser | eval ar = split("2-Low","-") | eval tl = mvindex(ar, 0) | fields tl </CODE></PRE> <P>Any thoughts on what I might not be doing correctly?</P> Fri, 23 Oct 2015 13:46:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204372#M59358 kkatzgraukeyw 2015-10-23T13:46:19Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204373#M59359 <P>The problem is that you are using <CODE>search</CODE> instead of <CODE>where</CODE>. The <CODE>search</CODE> command ALWAYS understands the Right-Hand-Value to be a string-literal whereas <CODE>where</CODE> presumes the RHV to be a fieldname and switches to treating it as a string-literal only if you force it to, such as by enclosing it in double-quotes.</P> Fri, 23 Oct 2015 14:33:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204373#M59359 woodcock 2015-10-23T14:33:34Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204374#M59360 <P>Perfect. Thanks for the explanation!</P> Fri, 23 Oct 2015 17:08:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204374#M59360 kkatzgraukeyw 2015-10-23T17:08:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204375#M59361 <P>You should click "Accept" to close out the question.</P> Sat, 24 Oct 2015 14:56:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204375#M59361 woodcock 2015-10-24T14:56:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204376#M59362 <P><CODE>where</CODE> does <STRONG>NOT</STRONG> switch to treating a fieldname as a string literal if that field does not exist. Doing so would be terrible. Example:</P> <PRE><CODE>| stats count | eval field = "foo" | where field = "foo" | stats count | eval field = "foo" | where field = foo </CODE></PRE> <P>By your reasoning, both searches should keep the one event generated by the <CODE>stats</CODE>. However, the field <CODE>foo</CODE> does not exist, hence it's comparing <CODE>field</CODE> to <CODE>null()</CODE> yielding false and dropping the event. This is the only sane behaviour imaginable.</P> <P>Additionally, I would recommend against enclosing RHS fields in dollar signs because that would break when included in dashboards - those would then treat the dollar-sign-fieldname as a form token. Instead, enclose the field name in single quotes as documented here: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Eval#Required_arguments">http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Eval#Required_arguments</A></P> Sat, 05 Dec 2015 14:40:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204376#M59362 martin_mueller 2015-12-05T14:40:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204377#M59363 <P>You are correct, I have adjusted my answer to reflect the more correct nuance.</P> Sat, 05 Dec 2015 17:09:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-match-a-field-to-a-variable/m-p/204377#M59363 woodcock 2015-12-05T17:09:19Z