Re: Use eval field inside append search

mad_splunker · ‎09-25-2023

Hello Splunkers,

I am trying below query -

index=someindex cluster=gw uuid=gw98037234c6e51a48816016172b8a3c56
| eval api_uuid="gw"+reqid
| head 1
| append [search index=someindex cluster=api uuid=api_uuid]

Basically what I am trying is to get result from first search, evaluate new field from first search and add it as condition to second search. It is not working if I supply api_uuid field but If I replace uuid in append with actual computed value it is returning proper result. I have seen few people using join but dont want to use join as its expensive and comes with limit. Any solution to above query ?

mad_splunker · ‎09-25-2023

Nope not working

kamlesh_vaghela · ‎09-25-2023

@mad_splunker

index=someindex cluster=api uuid=api_uuid [ search index=someindex cluster=gw uuid=gw98037234c6e51a48816016172b8a3c56 | eval uuid="gw"+reqid  | table uuid ]

Can you please try this? I have used different approach.

thanks

KV

Use eval field inside append search

splunk-assist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation