Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to store this string in a variable and use it in any other index?

nikhilmalkari18
New Member
‎06-20-2022 11:15 AM

index = "abc" required_field = "xx" | table date - gives me a single string in the table. How can I store this string in a variable and use it in any other index.

Thank you 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-20-2022 11:31 AM

What do you mean by "using it in another index"?

SPL is not a procedural language and in general doesn't have the concept of "variables" as external storage to hold state between different searches.

There are some techniques which can be used to store something resembling a state - KV-store, collecting to summary index. But this is pretty advanced stuff (from the conceptual point of view - technically it's relatively easy) and I very much doubt that's what you need.

If you want to search for values from another search, you might use subsearch but also often can rephrase your problem to do the search in a completely different way.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-20-2022 11:26 AM

@nikhilmalkari18 

IF you want to add a new field into data/events found in index=abc, then

index=abc | eval required_field = "xx"

 

If there are no events already, and for testing, if you want to generate a new event, then

| makeresults | eval required_field = "xx"

 

I hope this helps!!!

0 Karma
Reply

nikhilmalkari18
New Member
‎06-20-2022 11:29 AM

I do not want to add a new field to the index. I want to know how to store a string coming from a search command in a variable.

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-20-2022 12:10 PM

@nikhilmalkari18 - That's what eval command does. But this does not store variables/fields permanently. Its scope is limited to that particular search only.

If you want to do it for all searches implicitly, then you can use EVAL in the props.conf file. -> Calculated Fieldshttps://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields 

If you want to do it permanently you can do it by extracting the field at index timehttps://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Configureindex-timefieldextraction 

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top