Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Returning field from subsearch to eval displays no returned rows in table

mcgi906
Explorer
‎07-18-2016 11:00 AM

I am attempting to return a field from a subsearch into an eval statement. No errors are thrown, but when the table populates, the "79 events" that are returned are blank. I know there are a lot of issues with formatting, especially since the field I am returning is made up of strings. Any ideas or workarounds?

eval f=[search indexa | fields REASON |  eval query=REASON | eval query=tostring(query) |  return $query] | table f

Earlier, I was getting the error that there was an error in the eval function, that an operator was invalid. I used the tostring() function and that cancelled the error, but like I said, all the rows of returned data are blank.

0 Karma
Reply

Raschko
Communicator
‎07-18-2016 11:09 AM

Can you test the following using strcat instead of the eval tostring command?

eval f=[search indexa | fields REASON | eval query=REASON | strcat "\"" query "\"" query | return $query] | table f

Do you get any results?

Reply

mcgi906
Explorer
‎07-18-2016 11:22 AM

Actually sorry, I just realized that all the returned rows are exact duplicates of one another, which should not be the case. Any ideas as to why this might be happening?

0 Karma
Reply

Raschko
Communicator
‎07-18-2016 11:26 AM

All that the line above does is to put the results of the subsearch into the key f.
As the result of the subsearch are the same for every event of the main search the key f is always getting the same value.

Can you elaborate more on what your trying to achieve with f and your search?

0 Karma
Reply

mcgi906
Explorer
‎07-18-2016 11:28 AM

Basically, Im just trying to return the field to the main search

0 Karma
Reply

mcgi906
Explorer
‎07-18-2016 11:29 AM

Ive tried doing a join, append, appencols, and using map, but nothing has worked so far since the field I am working with is pretty nasty

0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2016 01:41 PM

Go ALL THE WAY BACK to the beginning, start by showing us a MINIMUM set of sample events and then given an explanation of what you need to do followed by a mockup of the final desired output. I have NO IDEA what you are are trying to really do, especially given your comment above.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
li.common.scroll-to.top