Splunk Search
Highlighted

Using a subsearch in an eval line

Path Finder

I have some requests/responses going through my system. I want to get the size of each response.

The only information I have is a number of lines per request (each line is 4mb)

Currently i do the following:

eval ResponseSize=eventcount * 4

The 4mb might change so there is another place in the log file that prints what that size is.

Can I do a subsearch to pull this number and use it in the multiplication eval to get the ResponseSize?

Tags (2)
Highlighted

Re: Using a subsearch in an eval line

Splunk Employee
Splunk Employee

You can use the fact that a subsearch will render the "query" field literally. For example:

... | eval ResponseSize = eventcount * [search ... | rename size as query | fields query | head 1]

View solution in original post

Highlighted

Re: Using a subsearch in an eval line

Path Finder

Thanks! i appreciate the fast response!

0 Karma
Highlighted

Re: Using a subsearch in an eval line

Observer

| eval Result=number * [search ... | stats avg(dataset) ]
yields this error message: "Error in 'eval' command: Type checking failed. '*' only takes numbers."

The sub search run on its own results in a single number. That number could possibly considered a string, but if I try to convert it to a number with tonumber([search...]) then I get another error message: "Error in 'eval' command: The arguments to the 'tonumber' function are invalid."

If I try this: | eval SubSearchResult=[search ... | stats avg(dataset) ]
I get this error message: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

I need to be able to assign the result of a sub search to a variable to be used in calculation with data from the base search. How can I do this?

0 Karma
Highlighted

Re: Using a subsearch in an eval line

Ultra Champion

hi @carolinel

|makeresults
| eval test=[|makeresults|eval t=1|return $t]

try this.
To substitute the result of subsearch, it should usereturn
this time, subsearch result is number, no need doble quotes.
If subsearch result is string, it should cover by double quote and return

By the way, |eventstats avg(dataset) as Result
Isn't this enough?

0 Karma
Highlighted

Re: Using a subsearch in an eval line

Super Champion

Wow. So where all do subsearches work? I thought they only worked in the base search and with special search commands ( like set, append, join, ...) Is this documented somewhere?

0 Karma
Highlighted

Re: Using a subsearch in an eval line

Splunk Employee
Splunk Employee

Subsearches behave like backticks in Unix. Anywhere that they're not treated specially (set, append, join) their result is just rendered as a string and inserted into the search.

Highlighted

Re: Using a subsearch in an eval line

Splunk Employee
Splunk Employee

shorter:

   ... | eval ResponseSize = eventcount * [search ... | return $size]
0 Karma
Highlighted

Re: Using a subsearch in an eval line

Splunk Employee
Splunk Employee

Looks like sometimes it adds excess decoration though.. at least with use cases that would be useful like | rest splunk_server=local /servicesNS/-/[| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1]/data/models. But with some (slightly silly) workarounds it can help! | makeresults | eval test="/servicesNS/-/" + [| rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as query | fields query | head 1] + "/data/models" | map search="| rest splunk_server=local $test$"

0 Karma