Splunk Search

Assign result of a subsearch to a token in an <eval> dashboard XML tag

DanK
Explorer

It's possible to assign the result of a subsearch to a field with the eval command as can be seen in the following snippet:

 

| makeresults
| eval blahblah = [
  | makeresults 
  | eval search="\"blah\""
]

 

How can I accomplish this in an <eval> dashboard XML tag?

I've tried the below in the dashboard XML source but the result is just '$blahblah$' instead of 'blah', as if the `blahblah` token is not defined:

 

<eval token="blahblah">
  [
    | makeresults
    | eval search="\"blah\""
  ]
</eval>

<!-- OR -->

<eval token="blahblah">
  [
    | makeresults 
    | eval myOutput = "\"blah\""
    | return $myOutput
  ]
</eval>

<!-- ... -->

<panel>
  <title>DEBUG</title>
  <html>
    <pre>
      blahblah = '$blahblah$'
    </pre>
  </html>
</panel>

 

 In the documentation about <eval> and its limitations, subsearches are not listed in the list of limitations and unsupported functionality, so this should be possible.

Labels (3)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why are you using a subsearch by itself?  Use a search.  Not that it really matters since you can't use a search (or subsearch) query in an eval.  The eval element requires an eval expression such as "\"blah\"'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

DanK
Explorer

According to the documentation which I linked in my original post, the <eval> tag's contents behave the same as the eval SPL command with a small list of differences. This list of differences does not include the inability to use subsearches.

If you click the link I included, it brings you right to the section which mentions this but I've nevertheless pasted it below for your convenience.

If the documentation is not true, it should be updated.

---

The dashboard eval expression has the same syntax and semantics as the eval expression syntax for SPL queries. Most of the same eval expression functionality is the same between the dashboard eval expression and the SPL version of eval. However, there are some important exceptions.

Unavailable dashboard eval expression functions

  • commands(X)
  • searchmatch(X)
  • exact(X)
  • Cryptographic hash functions:
*md5(X) *sha1(X) *sha256(X) *sha512(X) *sigfig(X) *spath(X,"Y")

eval expression functions with different behavior for dashboards

  • relative_time(X,Y): Uses client time zone.
  • strftime(X,Y): Uses client time zone.
  • strptime(X,Y): Uses client time zone.

It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript.

To learn more about eval expression functions, see eval in Search Reference.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...