Solved: Pass a variable to fields command in a search - no...

cardinalga · ‎08-25-2017

Hi,

I'm trying to build a mechanism to pre-define a set of fields in my searches. The mechanism normally uses a macro and a lookup table to create a list of fields and this part is working fine. The problem is that it seems the "fields" command can't use my list correctly. For instance:

index="main" 
| eval myfieldslist="host,sourcetype,source" 
| fields $myfieldslist$

That looks good to me but it only shows the _time field which means the "fields" command does consider the string "host,sourcetype,source" as a unique value and not as a list of values. I tried different things but I can't make it work.

Any help would be appreciated
Thank you

somesoni2 · ‎08-25-2017

Try like this (the subsearch will get the string placed in fields command. The field name search is special field that returns the string value. You can replace the searchsearch with your current search/logic, just rename the field that contains field names to search)

index="main" 
| fields [| gentimes start=-1 | eval search="host,sourcetype,source" | table search]

View solution in original post

somesoni2 · ‎08-25-2017

Try like this (the subsearch will get the string placed in fields command. The field name search is special field that returns the string value. You can replace the searchsearch with your current search/logic, just rename the field that contains field names to search)

index="main" 
| fields [| gentimes start=-1 | eval search="host,sourcetype,source" | table search]

haraksin · ‎04-11-2018

I'm trying to pass an eval field to this, but it doesn't work: is there something I'm missing?

| eval fieldNames="" | eval fieldNames=if(isnull(fieldA), fieldNames."fieldA,fieldB", fieldNames)
| fields - [| makeresults | eval search=fieldNames]

somesoni2 · ‎04-11-2018

Put the fieldName in double quotes as you need to pass it as string.

[| makeresults | eval search="fieldNames"]

haraksin · ‎04-11-2018

It's a variable I'm defining earlier, not a string I want to pass. "fieldA,fieldB" is the string I want to pass.

somesoni2 · ‎04-11-2018

You can't pass a field or value from main search to a subsearch, that'll not work.

haraksin · ‎04-11-2018

I wasn't aware this is the case; thanks for the help! If you have any suggestions without the subsearch, then that would be awesome, but if not, I still appreciate your help.

niketn · ‎04-11-2018

@haraksin if your use case is different you can post your question on Splunk Answers with the required details as to what you are trying to do and what is not working. Is this for a dashboard?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cardinalga · ‎08-31-2017

Another solution:

index="main"  
| fields [| makeresults | eval search="host,sourcetype,source" ]

cardinalga · ‎08-28-2017

Thank you so much, it is very helpful.

Actually I'm pretty close of what I wanted, I just don't understand why I only have 1 field in the "selected_fields" group (displayed as a column in the right search pane showing the events) and the others being in the "interesting_fields" group and not displayed. However it seems I will be able to get them all displayed as expected by playing with a few more table/fields parameters

Thx again

Pass a variable to fields command in a search - not working

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies