Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I match a field to a variable?

kkatzgraukeyw
Explorer
‎10-23-2015 06:46 AM

I've got a query that will have a string passed into it. In this case, it's "2-Low". I need to parse out the number and match that to rows with a field called 'score' containing the same value.

Strangely enough, this query isn't returning results (there is definitely matching data):

index=someindex | parser | eval ar = split("2-Low","-") | eval tl = mvindex(ar, 0) | search score = tl

As a sanity check, if I try this to make sure the string manipulation worked, I get the number "2" as expected.

index=someindex | parser | eval ar = split("2-Low","-") | eval tl = mvindex(ar, 0) | fields tl

Any thoughts on what I might not be doing correctly?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-23-2015 07:33 AM

The problem is that you are using search instead of where. The search command ALWAYS understands the Right-Hand-Value to be a string-literal whereas where presumes the RHV to be a fieldname and switches to treating it as a string-literal only if you force it to, such as by enclosing it in double-quotes.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-05-2015 06:40 AM

where does NOT switch to treating a fieldname as a string literal if that field does not exist. Doing so would be terrible. Example:

| stats count | eval field = "foo" | where field = "foo"
| stats count | eval field = "foo" | where field = foo

By your reasoning, both searches should keep the one event generated by the stats. However, the field foo does not exist, hence it's comparing field to null() yielding false and dropping the event. This is the only sane behaviour imaginable.

Additionally, I would recommend against enclosing RHS fields in dollar signs because that would break when included in dashboards - those would then treat the dollar-sign-fieldname as a form token. Instead, enclose the field name in single quotes as documented here: http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Eval#Required_arguments

0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2015 09:09 AM

You are correct, I have adjusted my answer to reflect the more correct nuance.

0 Karma
Reply

kkatzgraukeyw
Explorer
‎10-23-2015 10:08 AM

Perfect. Thanks for the explanation!

0 Karma
Reply

woodcock
Esteemed Legend
‎10-24-2015 07:56 AM

You should click "Accept" to close out the question.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...