How to search with Splunk eval using a different s...

michael92956 · ‎06-02-2022

Hopefully I can explain this in a way where it can be understood and fingers crossed answered. I have a search that returns the user and date. On occasion the user is blank, in which case I want to perform a search on a different index to get the appropriate value and populate the first search results. I am trying the following:

| eval user=if(user=””), searchmatch(new search | table UserName), $user$)

This is easy enough when the value is hard coded, but want to grab the result from the new search value.

Obviously, this does not work but hopefully gives an idea what is desired. Any ideas how to accomplish?

gcusello · ‎06-03-2022

Hi @michael92956,

it ison't possible to insert a search in an eval command like you would, but it's possible to have the same result with a workaround:

index=indexA OR index=indexB
| stats BY Username

You could also have the information about the index origin adding some option to the stats command:

index=indexA OR index=indexB
| stats dc(index) AS dc_index values(index) AS index BY Username
| eval index_status=if(dc_index=2,"Both Indexes","Only in ".index)
| table Username index_status

Ciao.

Giuseppe

How to search with Splunk eval using a different search results to populate field value

eval

fields

join

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation