Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using eval within a Search Template?

Tisiphone_1
Explorer
‎07-22-2010 11:56 PM

Apologies if this is a novice question, but when I attempt to use any eval statement within a form Search Template, nothing appears to work:

    <searchTemplate>

    index=test | eval searchstring = if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") 
  | search index=test $searchstring$

    </searchTemplate>

Is there something obvious that I am doing wrong? I am looking at the eval documentation, and this seems to be precisely how you are supposed to set a value to a variable. Yet, the variable does not seem usable in the next search. When I look at my search results, I see the form variables resolving, but not the one I set in the eval statement.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-23-2010 12:36 AM

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-23-2010 12:36 AM

You would need:

index=test  [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ]

You can't expand a variable name in the search command. Using a subsearch is a way around that. You also will have much better performance. The other way would have to retrieve the entire index first, then filter it.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-24-2010 05:58 PM

Oh I guess you can also use a second subsearch, not sure if that will help.

0 Karma
Reply
Solved! Jump to solution

Tisiphone_1
Explorer
‎07-23-2010 11:22 PM

Just FYI, it works great, except for one instance - " " OR (argument) is treated as (any) OR (argument).

I'll find a workaround.

0 Karma
Reply
Solved! Jump to solution

Tisiphone_1
Explorer
‎07-23-2010 08:26 PM

Thanks a bunch. That was much more detail than the documentation goes into.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-23-2010 07:09 AM

Yes. The subsearch is implicitly sent to "format" and the resulting string inserted into the search. You can either just concatenate a bigger expression into the value "search". Or you can go back and re-do the whole thing as a macro.

0 Karma
Reply
Solved! Jump to solution

Tisiphone_1
Explorer
‎07-23-2010 02:10 AM

OK, so 'search' is actually evaluated and piped back.

What if I want to use more than one IF statement?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-23-2010 01:57 AM

You should not have the additional search at the end.

0 Karma
Reply
Solved! Jump to solution

Tisiphone_1
Explorer
‎07-23-2010 01:24 AM

Hmm,

I am doing index=test [ stats count | eval search=if($String1$ == "NOTSPECIFIED"," ","Search1=$String1$") | fields - count ] | search index=test $search$

But I always get "The specified search will not match any events"

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...