Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return a single value from a subsearch into eval Part 2

hollybross1219
Path Finder
‎05-20-2020 12:07 PM

I found a different answer article with an example of what I'm trying to do, but I can't get it to work on my end.

I'd like to calculate a value using eval and subsearch (adding a column with all row values having this single calculated value). I've replicated what the past article advised, but I'm getting a "Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr])." message. I've also identified that it's the eval with the subsearch causing this, because the query works when removing that function.

Past article with same question: https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html

Here's my query

splunk_server=indexer* index=wsi_tax_summary sourcetype=stash intuit_tid=* intuit_offeringid=* provider_id=* partnerId=* 
capability=* error_msg_service=* http_status_code_host=* ofx_schema_response_error!=null
| eval ofx_schema_response_error= [eval statements unimportant for this example]
| stats dc(intuit_tid)  as schema_error dc(eval(if(error_msg_service="OK", intuit_tid, null()))) as successful_imports by 
    ofx_schema_response_error
| eval total_events =
    [search splunk_server=indexer* index=wsi_tax_summary sourcetype=stash intuit_tid=* intuit_offeringid=* provider_id=* 
    partnerId=* capability=* error_msg_service=* http_status_code_host=*
    | stats dc(intuit_tid) as total_events
    | return total_events]
| eval failed_imports = schema_error - successful_imports
| sort - schema_error

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2020 01:24 PM

By default, returns returns a field name, not a value. To get the value, use | return $total_events.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2020 01:24 PM

By default, returns returns a field name, not a value. To get the value, use | return $total_events.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...