- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Returning field from subsearch to eval displays no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Returning field from subsearch to eval displays no returned rows in table
I am attempting to return a field from a subsearch into an eval statement. No errors are thrown, but when the table populates, the "79 events" that are returned are blank. I know there are a lot of issues with formatting, especially since the field I am returning is made up of strings. Any ideas or workarounds?
eval f=[search indexa | fields REASON | eval query=REASON | eval query=tostring(query) | return $query] | table f
Earlier, I was getting the error that there was an error in the eval function, that an operator was invalid. I used the tostring() function and that cancelled the error, but like I said, all the rows of returned data are blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you test the following using strcat instead of the eval tostring command?
eval f=[search indexa | fields REASON | eval query=REASON | strcat "\"" query "\"" query | return $query] | table f
Do you get any results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually sorry, I just realized that all the returned rows are exact duplicates of one another, which should not be the case. Any ideas as to why this might be happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All that the line above does is to put the results of the subsearch into the key f.
As the result of the subsearch are the same for every event of the main search the key f is always getting the same value.
Can you elaborate more on what your trying to achieve with f and your search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, Im just trying to return the field to the main search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ive tried doing a join, append, appencols, and using map, but nothing has worked so far since the field I am working with is pretty nasty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go ALL THE WAY BACK to the beginning, start by showing us a MINIMUM set of sample events and then given an explanation of what you need to do followed by a mockup of the final desired output. I have NO IDEA what you are are trying to really do, especially given your comment above.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
