Splunk Search
Highlighted

Should I be using eval or subsearch? Not able to perform Search when evaluating a boolean expression

New Member

I know this is a Splunk newbie question but I am having some issues getting this to work. I have a column field named "Account_Name" from a sourcetype="AD", for instance. I am creating a form where there are several empty text fields (Account Name, IP Address, Host Name, etc). I may have all of the fields or I may have just one piece of information pertaining to a particular event.

Based on which field contains a value (e.g. length of character string is greater than 0), I'd like to assign the character string a default value to search. So if I have a variable named $testaccountname$, I'd like to be able to run something like this:

eval XYZ=if($testaccountname$!=0, $testaccountname$,"*")

Here is where things go beyond my realm of Splunk understanding. At this point, the new variable XYZ should be assigned a value of $testaccountname$ OR contain a wildcard ("*"). Now, I want to be able to pass the contents of XYZ back to the original variable "Account_Name" in order to search the sourcetype with the results contained in XYZ.

I am sure there is a more appropriate function to perform this but I figured I would ask! Thanks in advance!

Tags (2)
0 Karma
Highlighted

Re: Should I be using eval or subsearch? Not able to perform Search when evaluating a boolean expression

Builder

Hi,
Try this:

...|eval XYZ=if("$test_account_name$"!=0, "$test_account_name$","*")|...|join [search sourcetype="AD" ...|eval Account_Name=XYZ|...]
0 Karma