How to search with Splunk eval using a different s...

michael92956 · ‎06-02-2022

Hopefully I can explain this in a way where it can be understood and fingers crossed answered. I have a search that returns the user and date. On occasion the user is blank, in which case I want to perform a search on a different index to get the appropriate value and populate the first search results. I am trying the following:

| eval user=if(user=””), searchmatch(new search | table UserName), $user$)

This is easy enough when the value is hard coded, but want to grab the result from the new search value.

Obviously, this does not work but hopefully gives an idea what is desired. Any ideas how to accomplish?

gcusello · ‎06-03-2022

Hi @michael92956,

it ison't possible to insert a search in an eval command like you would, but it's possible to have the same result with a workaround:

index=indexA OR index=indexB
| stats BY Username

You could also have the information about the index origin adding some option to the stats command:

index=indexA OR index=indexB
| stats dc(index) AS dc_index values(index) AS index BY Username
| eval index_status=if(dc_index=2,"Both Indexes","Only in ".index)
| table Username index_status

Ciao.

Giuseppe

How to search with Splunk eval using a different search results to populate field value

eval

fields

join

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation