Splunk Search

Using a subsearch in an eval line

htkhtk
Path Finder

I have some requests/responses going through my system. I want to get the size of each response.

The only information I have is a number of lines per request (each line is 4mb)

Currently i do the following:

eval ResponseSize=eventcount * 4

The 4mb might change so there is another place in the log file that prints what that size is.

Can I do a subsearch to pull this number and use it in the multiplication eval to get the ResponseSize?

Tags (2)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can use the fact that a subsearch will render the "query" field literally. For example:

... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can use the fact that a subsearch will render the "query" field literally. For example:

... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]

David
Splunk Employee
Splunk Employee

Looks like sometimes it adds excess decoration though.. at least with use cases that would be useful like | rest splunk_server=local /servicesNS/-/[| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1]/data/models. But with some (slightly silly) workarounds it can help! | makeresults | eval test="/servicesNS/-/" + [| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1] + "/data/models" | map search="| rest splunk_server=local $test$"

0 Karma

carasso
Splunk Employee
Splunk Employee

shorter:

   ... | eval ResponseSize = eventcount * [search ... | return $size]
0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Subsearches behave like backticks in Unix. Anywhere that they're not treated specially (set, append, join) their result is just rendered as a string and inserted into the search.

Lowell
Super Champion

Wow. So where all do subsearches work? I thought they only worked in the base search and with special search commands ( like set, append, join, ...) Is this documented somewhere?

0 Karma

htkhtk
Path Finder

Thanks! i appreciate the fast response!

0 Karma

carolinel
Loves-to-Learn

| eval Result=number * [search ... | stats avg(dataset) ]
yields this error message: "Error in 'eval' command: Type checking failed. '*' only takes numbers."

The sub search run on its own results in a single number. That number could possibly considered a string, but if I try to convert it to a number with tonumber([search...]) then I get another error message: "Error in 'eval' command: The arguments to the 'tonumber' function are invalid."

If I try this: | eval SubSearchResult=[search ... | stats avg(dataset) ]
I get this error message: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

I need to be able to assign the result of a sub search to a variable to be used in calculation with data from the base search. How can I do this?

0 Karma

to4kawa
Ultra Champion

hi @carolinel

|makeresults
| eval test=[|makeresults|eval t=1|return $t]

try this.
To substitute the result of subsearch, it should usereturn
this time, subsearch result is number, no need doble quotes.
If subsearch result is string, it should cover by double quote and return

By the way, |eventstats avg(dataset) as Result
Isn't this enough?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...