Solved: How to return a single value from a subsearch into...

Sloefke · ‎06-02-2015

Hi,

I'm trying to calculate a value through some lookup statements and then put that value into a variable using eval. I've been googling and reading documentation for a while now and "return" seems the way to go, but I can't get it to work.

Basically what I want to do is:

somesearch | eval somevar=[ subsearch | lookup | return $lookupresult ]

But whatever I try, I never get the "somevar" field in my resulting events.

I tried boiling it down to a very simple dummy query to test this, but even this does not return any "aatest" field in the resulting event:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

As I understand it, this should just return the "aatest" field with value "test" in the 1 resulting event, no?

Thanks!

Sloefke · ‎06-03-2015

Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]

View solution in original post

Sloefke · ‎06-03-2015

Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]

mhergh · ‎04-26-2022

weird, the solution didn't worked out for me; it returned the string "ip" instead of the expected ip field value.

But this slightly adapted variant worked for me:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"" + test + "\"" | return $ip ]

isoutamo

Hi

this is the way if you want to return value of some field from inner search. It seems that it excepting those " marks outside of value.

r. Ismo

evelenke · ‎01-24-2020

Another hint ... | return $ip | format ]

stephanefotso · ‎06-02-2015

surprising! I think it should work. Here s an example which is working perfectly

index=_internal |eval aaa=[search index=_internal sourcetype="splunkd"|head 1|eval c2="45555"|return $c2]

or

index=_internal |eval aaa= 1 + [search index=_internal sourcetype="splunkd"|stats count as c1|return $c1]|table aaa

SGF

Sloefke · ‎06-02-2015

Your 2 tests worked for me as well, so I started looking a bit. Seems the only difference is the value of the returned variable, where you use an integer and I use a string. And indeed, this does work:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="123" | return $ip ]

while this still doesn't:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

What the? return should be able to return strings, no? 😕

Edit: my guess is that the return search does return a string, but it can't be mapped into the "aatest" variable without quotes? Now to try to fix that ...

stephanefotso · ‎06-02-2015

hum! That's a really problem! i'm troubleshooting the issue.

SGF

Sloefke · ‎06-03-2015

I've been searching some more as well, but I can't find a way to 'convert' the subsearch to something eval would recognize as a string 😕

How to return a single value from a subsearch into eval

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM