Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk help

borisk95
New Member
‎05-25-2019 08:27 AM

I want to |search sourcetype=syslog | eval DATA=[search tratata | eval ip=somedata | return $ip] | search DATA
Example of ip ( 127.0.0.1 , (answer=127.0.0.1))
I get an error The number 127.0.0.1 is not valid.
Trying to use | eval ip=tostring(ip) | return $ip do not help

Tags (2)
0 Karma
Reply

borisk95
New Member
‎05-26-2019 05:30 AM

The reason is to search some value, eval this as a value or combined multivalie and search eval field=1 as | search 1

0 Karma
Reply

DavidHourani
Super Champion
‎05-26-2019 12:31 AM

Hi @borisk95,

You can run the following search for the same results if you're trying to filter on the DATA field :

 |search sourcetype=syslog [search tratata | eval ip=somedata|rename ip AS DATA | return $DATA]

Cheers,
David

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2019 03:58 PM

First run the subsearch by itself to verify you get the expected results.

search tratata | eval ip=somedata | return $ip

You may have better luck with

search tratata | eval ip=somedata | fields ip | format

Modify the search as needed to get the desired output. Once you have the output as you like it, put the query together.

sourcetype=syslog | eval DATA=[search tratata | eval ip=somedata | fields ip | format] | search DATA

Or perhaps

sourcetype=syslog [search tratata | eval ip=somedata | fields ip | format]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-25-2019 01:43 PM

Please describe the problem you are trying to solve. There may be a better way to do it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

borisk95
New Member
‎05-25-2019 01:47 PM

I'm trying to eval value from subsearch
ex searching specific data collecting them to multivalue field and pass to variable than search.
Do splunk have variables something like global variables

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...