Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to pass field value from search to write kind of an event in the same search using eval command?

ak9092
Path Finder
‎05-20-2022 07:38 AM

Hey Splunkers,

I am not sure if this is possible or not but what i was trying to do is something like passing the values of search in the eval command to basically form a statement or  an event .

So for example consider below search returns multiple users first name, last name and country details.

Now with that field values what i am trying to do is create a eval statement like below-

index=foo source=user_detail

|table first_name  last_name country

|eval statement = My name is "$first_name $ $last_name$ and i come from $country$

|table statement

 

But this is not passing those field values to eval statement, so anyone knows if there is a way we can do this ?

Thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:04 AM

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:04 AM

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ak9092
Path Finder
‎05-20-2022 08:17 AM

That's exactly what I needed, Thanks much @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:26 AM

Hi @ak9092,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...