Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter the results based on the evaluated field?

amerineni
Loves-to-Learn
‎11-02-2022 02:31 PM

I'm trying the below query,

index=XXXXXXXXX   | eval space="cf_space_name=production" | search "space"  YYYYYYYYYYYY | stats count

===================================================================

I want to filter the results based on the evaluated field.

| search "space"    XXXXXXXXXXXXX    => is not returning correct values

|  search "cf_space_name=production"    XXXXXXXXXXXXX    =>  but If I use the value like this its working.

how to fix this? Thanks for the help.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-02-2022 10:22 PM

Like @richgalloway mentioned, the value in 'space' is not substituted as part of command in | search.  Can you explain why it is even necessary to use that syntax if  | search "cf_space_name=production" YYYYYYYYYYY already works?  Maybe you are thinking of a token in dashboard?

(As a side, | search "cf_space_name=production" YYYYYYYYYYY  is semantically different from | search cf_space_name=production YYYYYYYYYYY.  You want to consider what exactly is intended.)

0 Karma
Reply

amerineni
Loves-to-Learn
‎11-03-2022 01:40 PM

I have two inputs in the dashboard and I need to evaluate filed name and value to compare dynamically based on those inputs and filter events based on that.  That is what I'm tryign to do.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-03-2022 11:08 PM

I still don't see how "cf_space_name=production" is a dynamic input.  In this form, it is just a static string.  Can you explain?  Maybe you can illustrate with data (anonymize as necessary)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 01:55 PM

I hoping this was in a dashboard.  If you have an input called "space" that holds a cf_space_name value then you can reference that token in the SPL.

index=XXXXXXXXX cf_space_name=$space$ YYYYYYYYYYYY 
| stats count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2022 05:12 PM

The search command treats "space" with or without quotation marks as a literal string rather than a field name. 

The eval command assigns a value to a field, creating the field if necessary.  It does not define variables that can be used in arbitrary places.

To search for specific text in an event, put that text in a search command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...