Splunk Search

How to use an evaluated field in search command?

biju_babu
Explorer

Could you please let me know how to use an evaluated field in search command

index=main sourcetype="access_combined"

| eval field1="search-val1|search-val2"

| eval searchval=mvindex(split(field1,"|"),1)

| search "*search-val2*"

I am trying to create a dashboard with one of the search as above. I get the field1 value from dropdown list in dashboard. Something like 

| eval field1 = $searchkey$

The above works with the static value in search command but I am trying to use searchval field in search command like

| search 'searchval'

Can someone help? Thanks for the help.

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Is there any reason why "search" is the only choice command?  Why not use where?  For example,

| where match(_raw, searchval)

 

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Is there any reason why "search" is the only choice command?  Why not use where?  For example,

| where match(_raw, searchval)

 

0 Karma

biju_babu
Explorer

what if i use "where" command to set the source. does it impact the performance?

Example using #2 instead of #1

1. index=main sourcetype="access_combined" source="app1"

2. index=main sourcetype="access_combined" | where match(source,"app1")

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

This will affect performance mainly because the first search in #2 will return more events than that in #1.

As a side, if source is precisely "app1", do not use match().  Just say | where source=="app1".  A callout to a function adds to memory and compute; and match() is a regex function, adds even more compute.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| search [| makeresults
          | fields - _time
          | eval field1 = $searchval$]
0 Karma

biju_babu
Explorer

sorry - that is not working.

Basically, I need to execute command like this

index=main sourcetype="access_combined" "*search-val2*"

where "search-val2" get evaluate from pipe(|) separated string

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do the separation in the makeresults subsearch

| search [| makeresults
          | fields - _time
          | eval field1 = $searchval$
          | eval query=mvindex(split(field1,"|"),1)
          | fields query]
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...