Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use subsearch with eval to execute a search containing another subsearch?

Gchouane
Engager
‎03-24-2015 01:55 AM

Hello,

I would like create a search based on variables.

My current search: 

| stats count
| eval search="index=customer_details sourcetype="..." 
| eval search_id=if("$id_customer$"="*"," "," (id_customer=$id_customer$ OR operational_customer_number=$id_customer$) ")
| eval search_name=if("$name$"="*"," ","name=$name$")
| eval search_first_name=if("$first_name$"="*"," "," first_name=$first_name$ ")
| eval search_email=if("$email$"="*"," "," email_account=$email$ ")
| eval search_phone=if("$tel_no$"="*"," "," ( land_phone=$tel_no$ OR mobile_phone=$tel_no$)")
| eval search_order=if("$id_order$"="*"," "," [search (index=order (id_order=$id_order$)  | head 1  | fields id_customer | appendpipe [ .... ] | fields id_customer 
] ")
| eval search_request=if("$requestid$"="*"," ","[search index=request requestid=$requestid$ | head 1 | rename idclient as id_customer | fields id_customer | appendpipe [ ....... ] | fields id_customer ]")
| eval search= search+search_id+search_first_name + search_name + search_phone + search_order + search_request
| fields search

If i execute this search with parameters, Splunk returns a field : search named "search_return"
If i execute "search_return" manually, it runs ok, but i want to execute this search directly.

Have you an idea ?

Thanks you

Tags (3)
0 Karma
Reply

vganjare
Builder
‎04-27-2015 05:09 AM

HI,

Can you try using return command, to return the field value rather than field itself? Something like return $search.

Thanks!!

0 Karma
Reply

vganjare
Builder
‎03-24-2015 05:29 AM

Hi,

Will it be possible for you create a simple example using _internal index? Explain the use-case using _internal idex as reference.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...