- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Experts,
I have an input token $env_field$ which has a value: "port123_host123"
host, component and port are existing fields in splunk
I have a search that goes as follows: (basically need to extract the port from input token and use that value to search on the port field)
host=host123 component=cmp123| eval prtInput= replace($env_field$, "([^_]+)\_\w*", "\1") | search port=prtInput
But this doesn't work. Eval expression is working, i.e., prtInput gets evaluated as "port123" and available as a field in the search result; I checked. But the search port=prtInput portion isn't returning any results somehow. search port=port123 returns results however.
Can't we use a value from eval field piped into a search command? If not, what alternatives do we have to achieve this?
Regards,
Vinod.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change:
| search port=prtInput
to
| where port==prtInput
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked like a charm :). Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried to find some related threads such as https://answers.splunk.com/answers/50659/whats-the-difference-between-where-and-search-in-the-pipeli...
