I am attempting to return a field from a subsearch into an eval statement. No errors are thrown, but when the table populates, the "79 events" that are returned are blank. I know there are a lot of issues with formatting, especially since the field I am returning is made up of strings. Any ideas or workarounds?
eval f=[search indexa | fields REASON | eval query=REASON | eval query=tostring(query) | return $query] | table f
Earlier, I was getting the error that there was an error in the eval function, that an operator was invalid. I used the
tostring() function and that cancelled the error, but like I said, all the rows of returned data are blank.
Can you test the following using strcat instead of the eval tostring command?
eval f=[search indexa | fields REASON | eval query=REASON | strcat "\"" query "\"" query | return $query] | table f
Do you get any results?
All that the line above does is to put the results of the subsearch into the key f.
As the result of the subsearch are the same for every event of the main search the key f is always getting the same value.
Can you elaborate more on what your trying to achieve with f and your search?
Go ALL THE WAY BACK to the beginning, start by showing us a MINIMUM set of sample events and then given an explanation of what you need to do followed by a mockup of the final desired output. I have NO IDEA what you are are trying to really do, especially given your comment above.