Splunk Search

Assign result of a subsearch to a token in an <eval> dashboard XML tag

DanK
Explorer

It's possible to assign the result of a subsearch to a field with the eval command as can be seen in the following snippet:

 

| makeresults
| eval blahblah = [
  | makeresults 
  | eval search="\"blah\""
]

 

How can I accomplish this in an <eval> dashboard XML tag?

I've tried the below in the dashboard XML source but the result is just '$blahblah$' instead of 'blah', as if the `blahblah` token is not defined:

 

<eval token="blahblah">
  [
    | makeresults
    | eval search="\"blah\""
  ]
</eval>

<!-- OR -->

<eval token="blahblah">
  [
    | makeresults 
    | eval myOutput = "\"blah\""
    | return $myOutput
  ]
</eval>

<!-- ... -->

<panel>
  <title>DEBUG</title>
  <html>
    <pre>
      blahblah = '$blahblah$'
    </pre>
  </html>
</panel>

 

 In the documentation about <eval> and its limitations, subsearches are not listed in the list of limitations and unsupported functionality, so this should be possible.

Labels (3)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why are you using a subsearch by itself?  Use a search.  Not that it really matters since you can't use a search (or subsearch) query in an eval.  The eval element requires an eval expression such as "\"blah\"'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

DanK
Explorer

According to the documentation which I linked in my original post, the <eval> tag's contents behave the same as the eval SPL command with a small list of differences. This list of differences does not include the inability to use subsearches.

If you click the link I included, it brings you right to the section which mentions this but I've nevertheless pasted it below for your convenience.

If the documentation is not true, it should be updated.

---

The dashboard eval expression has the same syntax and semantics as the eval expression syntax for SPL queries. Most of the same eval expression functionality is the same between the dashboard eval expression and the SPL version of eval. However, there are some important exceptions.

Unavailable dashboard eval expression functions

  • commands(X)
  • searchmatch(X)
  • exact(X)
  • Cryptographic hash functions:
*md5(X) *sha1(X) *sha256(X) *sha512(X) *sigfig(X) *spath(X,"Y")

eval expression functions with different behavior for dashboards

  • relative_time(X,Y): Uses client time zone.
  • strftime(X,Y): Uses client time zone.
  • strptime(X,Y): Uses client time zone.

It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript.

To learn more about eval expression functions, see eval in Search Reference.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...