Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to properly evaluate integer list from inputlookup subsearch?

oneillryan93
New Member
‎11-16-2017 10:52 AM

I'm attempting to use a subsearch to extract a number of integers in order to transpose those integers as columns. Here is the code for the subsearch:

|eval thing=[| inputlookup lookup.csv
| stats values(tests) by tests
| sort 15 -tests
| stats values(tests) as str
| return $str]

The search run by itself returns something like "123 124 125 126 127...", so I'm confused why when I run it as a subsearch it returns:

"Error in 'eval' command: The expression is malformed."

I've tried following some similar examples I've seen here, but I can't seem to find anything that works for me.
Thanks.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎11-16-2017 11:17 AM

The return command, by default, returns only the single value from first row of specified field (as string). The field 'str' in your subsearch is a multivalued field and thus causes issue in eval. Assuming you want to return list of all 15 'tests' values in a space-delimited string and save it to field 'thing', try something like this

...|eval thing=[| inputlookup lookup.csv | stats values(tests) by tests | sort 15 -tests | stats values(tests) as str | nomv str | eval str="\"".str."\"" | return $str]

The nomv command changes 'str' to a single valued field and next eval will add double qoutes around values as it'll be a space delimited string.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...