Solved: How do I use a value of an eval field to search an...

apvinod2003 · ‎03-31-2016

Hi Experts,

I have an input token $env_field$ which has a value: "port123_host123"
host, component and port are existing fields in splunk

I have a search that goes as follows: (basically need to extract the port from input token and use that value to search on the port field)

host=host123 component=cmp123| eval prtInput= replace($env_field$, "([^_]+)\_\w*", "\1")  | search port=prtInput

But this doesn't work. Eval expression is working, i.e., prtInput gets evaluated as "port123" and available as a field in the search result; I checked. But the search port=prtInput portion isn't returning any results somehow. search port=port123 returns results however.

Can't we use a value from eval field piped into a search command? If not, what alternatives do we have to achieve this?

Regards,
Vinod.

jacobwilkins · ‎03-31-2016

Change:

| search port=prtInput

to

| where port==prtInput

View solution in original post

jacobwilkins · ‎03-31-2016

Change:

| search port=prtInput

to

| where port==prtInput

View solution in original post

apvinod2003 · ‎03-31-2016

That worked like a charm :). Thanks a lot.

ddrillic · ‎03-31-2016

Tried to find some related threads such as https://answers.splunk.com/answers/50659/whats-the-difference-between-where-and-search-in-the-pipeli...

How do I use a value of an eval field to search an existing field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >

How do I use a value of an eval field to search an existing field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >