All Apps and Add-ons

eval var to store single values

vinzent
New Member

Hi,

I would like to run different queries and store single values in variables with eval.
My purpose is then to print these single values in SVG objects.
Is that possible ?

eval count1=[ search index=rswaf device=waf11  | stats count by device | table count]
| eval count2=[search index=rswaf device=waf12  | stats count by device | table count]

... etc ...

When running the queries separately and without eval, I have an integer result for each. Ie . 644 for count1 and 12 for count2.

Unfortunately it does not seem to work. I tried with double quotes, single quotes etc ...
I can never have the query result into the count1 and 2 variables.

I'm sure I'm missing something very simple ... but what ?

Many thanks for your help

0 Karma
1 Solution

Sukisen1981
Champion

Hi,

It is possible, I tested this query on the default _audit index. if you have access to the default _audit index you can run the below code as is :
|makeresults|eval count1=[ search index=_audit | stats count by action | table count | return $count]
| eval count2=[ search index=_audit | stats count by info | table count | return $count]

Here I have taken count1 as a count by the action field in the _audit index & count2 as a count by the info field in the _audit index.
alt text

So, what is going wrong with your query?
The command expects the index and the count by field values(action and info in the above example) to exist, failing which it will return the error you describe above. I re-run the above query, slightly changing the query by changing the index to index=dummy and I receive the above error.
But, I know your index is existing, what else can go wrong?
The count by fields. Is device an extracted field? For example, I changed the action (which is an extracted field at index time) to have the string dummy added to the action and I run a query like this:

index=_audit
| eval actionable=action+"dummy"
| eval count1=[ search index=_audit
   | stats count by actionable| table count | return $count]
| table count1

This won't work and will give me the error - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression, that you see. Why so? Because the sub search in the eval count1 gets executed first AND that search does not fine any field called 'actionable'!
However, If i add an eval inside the sub search and re-jig my query to this:

index=_audit
| eval count1=[ search index=_audit
    | eval actionable=action+"dummy"
   | stats count by actionable| table count | return $count]
| table count1

It works because the count1 eval search query now knows what actionable field means.
See second screen shot
alt text
So, you need to re-jig your sub search query and define your fields accordingly. I suggest you run and test on the _audit index with the as is queries given above to have an understanding of how to retro-fit it to your actual index and fields. There is no issues with the eval command, rather with the field mapping and discovery but I do think these hints on the _audit index will set you on your way.
I apologize for replying late but I had to concentrate on actual office work - the bread& butter calls 🙂

View solution in original post

0 Karma

vinzent
New Member

Wouaw.
Wonderfull answer, that could easily be a blog article !
I'm all set now !

Thanks Sukisen.
Vince

0 Karma

Sukisen1981
Champion

Hi,

It is possible, I tested this query on the default _audit index. if you have access to the default _audit index you can run the below code as is :
|makeresults|eval count1=[ search index=_audit | stats count by action | table count | return $count]
| eval count2=[ search index=_audit | stats count by info | table count | return $count]

Here I have taken count1 as a count by the action field in the _audit index & count2 as a count by the info field in the _audit index.
alt text

So, what is going wrong with your query?
The command expects the index and the count by field values(action and info in the above example) to exist, failing which it will return the error you describe above. I re-run the above query, slightly changing the query by changing the index to index=dummy and I receive the above error.
But, I know your index is existing, what else can go wrong?
The count by fields. Is device an extracted field? For example, I changed the action (which is an extracted field at index time) to have the string dummy added to the action and I run a query like this:

index=_audit
| eval actionable=action+"dummy"
| eval count1=[ search index=_audit
   | stats count by actionable| table count | return $count]
| table count1

This won't work and will give me the error - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression, that you see. Why so? Because the sub search in the eval count1 gets executed first AND that search does not fine any field called 'actionable'!
However, If i add an eval inside the sub search and re-jig my query to this:

index=_audit
| eval count1=[ search index=_audit
    | eval actionable=action+"dummy"
   | stats count by actionable| table count | return $count]
| table count1

It works because the count1 eval search query now knows what actionable field means.
See second screen shot
alt text
So, you need to re-jig your sub search query and define your fields accordingly. I suggest you run and test on the _audit index with the as is queries given above to have an understanding of how to retro-fit it to your actual index and fields. There is no issues with the eval command, rather with the field mapping and discovery but I do think these hints on the _audit index will set you on your way.
I apologize for replying late but I had to concentrate on actual office work - the bread& butter calls 🙂

0 Karma

Sukisen1981
Champion
|makeresults|eval count1=[ search index=rswaf device=waf11  | stats count by device | table count | return $count]

and so on and so forth 🙂

0 Karma

vinzent
New Member

Hi Sukisen,

Thanks for taking time to answer my question.
I followed you advice, unfortunately this is still not working.

Here are some elements.
It's still unclear to me wether this is possible with Splunk search engine or not ...
Any help or suggestion is really welcome !

Thanks again

|makeresults
|eval count1=[ search index=rswaf device=waf11 | stats count by device | table count | return $count]

This returns le followin log :

05-07-2019 09:37:26.260 ERROR EvalCommand - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
05-07-2019 09:37:26.260 ERROR SearchPhaseGenerator - Fallback to two phase search failed:Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
05-07-2019 09:37:26.261 ERROR SearchOrchestrator - Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
05-07-2019 09:37:26.265 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...