Solved: How to reference a tagged field from an eval comma...

gilescope · ‎08-18-2014

We've tagged our hosts which we can search for by 'tag::host', but how do we reference that field from an eval command? Do we first need to rename it or is there a direct way?

MuS · ‎08-18-2014

Hi gilescope,

this is possible. I used a tag called foo-box for a special host and if you search like this

your base search here | where 'tag::host'="foo-box"

you can use it without any problem.

cheers, MuS

View solution in original post

MuS · ‎08-18-2014

Hi gilescope,

this is possible. I used a tag called foo-box for a special host and if you search like this

your base search here | where 'tag::host'="foo-box"

you can use it without any problem.

cheers, MuS

gilescope · ‎08-18-2014

ah yes. single quotes is perfect. I tried double quotes but that turns out as a string constant.

MuS · ‎08-18-2014

well where is an eval command .... can you provide an example of yours which does not work?

gilescope · ‎08-18-2014

Yes this works for search, but I want to include the tag::host field in an eval expression.

How to reference a tagged field from an eval command?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM