I have an input token $env_field$ which has a value: "port123_host123"
host, component and port are existing fields in splunk
I have a search that goes as follows: (basically need to extract the port from input token and use that value to search on the port field)
host=host123 component=cmp123| eval prtInput= replace($env_field$, "([^_]+)\_\w*", "\1") | search port=prtInput
But this doesn't work. Eval expression is working, i.e.,
prtInput gets evaluated as "port123" and available as a field in the search result; I checked. But the
search port=prtInput portion isn't returning any results somehow.
search port=port123 returns results however.
Can't we use a value from eval field piped into a search command? If not, what alternatives do we have to achieve this?