Splunk Search

How do I use a value of an eval field to search an existing field

Explorer

Hi Experts,

I have an input token $env_field$ which has a value: "port123_host123"
host, component and port are existing fields in splunk

I have a search that goes as follows: (basically need to extract the port from input token and use that value to search on the port field)

host=host123 component=cmp123| eval prtInput= replace($env_field$, "([^_]+)\_\w*", "\1")  | search port=prtInput

But this doesn't work. Eval expression is working, i.e., prtInput gets evaluated as "port123" and available as a field in the search result; I checked. But the search port=prtInput portion isn't returning any results somehow. search port=port123 returns results however.

Can't we use a value from eval field piped into a search command? If not, what alternatives do we have to achieve this?

Regards,
Vinod.

1 Solution

Communicator

Change:

| search port=prtInput

to

| where port==prtInput

View solution in original post

Communicator

Change:

| search port=prtInput

to

| where port==prtInput

View solution in original post

Explorer

That worked like a charm :). Thanks a lot.

0 Karma

Ultra Champion
0 Karma