Splunk Search

Assign result of a subsearch to a token in an <eval> dashboard XML tag

DanK
Explorer

It's possible to assign the result of a subsearch to a field with the eval command as can be seen in the following snippet:

 

| makeresults
| eval blahblah = [
  | makeresults 
  | eval search="\"blah\""
]

 

How can I accomplish this in an <eval> dashboard XML tag?

I've tried the below in the dashboard XML source but the result is just '$blahblah$' instead of 'blah', as if the `blahblah` token is not defined:

 

<eval token="blahblah">
  [
    | makeresults
    | eval search="\"blah\""
  ]
</eval>

<!-- OR -->

<eval token="blahblah">
  [
    | makeresults 
    | eval myOutput = "\"blah\""
    | return $myOutput
  ]
</eval>

<!-- ... -->

<panel>
  <title>DEBUG</title>
  <html>
    <pre>
      blahblah = '$blahblah$'
    </pre>
  </html>
</panel>

 

 In the documentation about <eval> and its limitations, subsearches are not listed in the list of limitations and unsupported functionality, so this should be possible.

Labels (3)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why are you using a subsearch by itself?  Use a search.  Not that it really matters since you can't use a search (or subsearch) query in an eval.  The eval element requires an eval expression such as "\"blah\"'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

DanK
Explorer

According to the documentation which I linked in my original post, the <eval> tag's contents behave the same as the eval SPL command with a small list of differences. This list of differences does not include the inability to use subsearches.

If you click the link I included, it brings you right to the section which mentions this but I've nevertheless pasted it below for your convenience.

If the documentation is not true, it should be updated.

---

The dashboard eval expression has the same syntax and semantics as the eval expression syntax for SPL queries. Most of the same eval expression functionality is the same between the dashboard eval expression and the SPL version of eval. However, there are some important exceptions.

Unavailable dashboard eval expression functions

  • commands(X)
  • searchmatch(X)
  • exact(X)
  • Cryptographic hash functions:
*md5(X) *sha1(X) *sha256(X) *sha512(X) *sigfig(X) *spath(X,"Y")

eval expression functions with different behavior for dashboards

  • relative_time(X,Y): Uses client time zone.
  • strftime(X,Y): Uses client time zone.
  • strptime(X,Y): Uses client time zone.

It is also important to note that regular expressions in dashboard eval expressions use the syntax and semantics of the JavaScript regular expression engine. This is not the same engine used for SPL eval expressions. If you are using regular expressions in search tokens, check that syntax and semantics match those for JavaScript.

To learn more about eval expression functions, see eval in Search Reference.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...