Splunk Search

Returning field from subsearch to eval displays no returned rows in table

mcgi906
Explorer

I am attempting to return a field from a subsearch into an eval statement. No errors are thrown, but when the table populates, the "79 events" that are returned are blank. I know there are a lot of issues with formatting, especially since the field I am returning is made up of strings. Any ideas or workarounds?

eval f=[search indexa | fields REASON |  eval query=REASON | eval query=tostring(query) |  return $query] | table f

Earlier, I was getting the error that there was an error in the eval function, that an operator was invalid. I used the tostring() function and that cancelled the error, but like I said, all the rows of returned data are blank.

0 Karma

Raschko
Communicator

Can you test the following using strcat instead of the eval tostring command?

eval f=[search indexa | fields REASON | eval query=REASON | strcat "\"" query "\"" query | return $query] | table f

Do you get any results?

mcgi906
Explorer

Actually sorry, I just realized that all the returned rows are exact duplicates of one another, which should not be the case. Any ideas as to why this might be happening?

0 Karma

Raschko
Communicator

All that the line above does is to put the results of the subsearch into the key f.
As the result of the subsearch are the same for every event of the main search the key f is always getting the same value.

Can you elaborate more on what your trying to achieve with f and your search?

0 Karma

mcgi906
Explorer

Basically, Im just trying to return the field to the main search

0 Karma

mcgi906
Explorer

Ive tried doing a join, append, appencols, and using map, but nothing has worked so far since the field I am working with is pretty nasty

0 Karma

woodcock
Esteemed Legend

Go ALL THE WAY BACK to the beginning, start by showing us a MINIMUM set of sample events and then given an explanation of what you need to do followed by a mockup of the final desired output. I have NO IDEA what you are are trying to really do, especially given your comment above.

0 Karma