- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a search that gets the top value of a search and saves it to a variable:
| eval top=[| eval MB_in=bytes_in/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes in" | sort -"Total Megabytes in" | head 1 | eval topval=c_ip | return $topval]
I want to then use this value in the main search.
This is currently returning the following error:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Value should be returned from a sub-search. Change your query to:
| eval top=[search <subsearch_query>| eval MB_in=bytes_out/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes Out" | sort -"Total Megabytes Out" | head 1 | eval topval=c_ip | return $topval]
If you are using top to filter base search results, then you can do this.
<base_search> top=[search <subsearch_query>| eval MB_in=bytes_out/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes Out" | sort -"Total Megabytes Out" | head 1 | eval topval=c_ip | return $topval]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Value should be returned from a sub-search. Change your query to:
| eval top=[search <subsearch_query>| eval MB_in=bytes_out/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes Out" | sort -"Total Megabytes Out" | head 1 | eval topval=c_ip | return $topval]
If you are using top to filter base search results, then you can do this.
<base_search> top=[search <subsearch_query>| eval MB_in=bytes_out/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes Out" | sort -"Total Megabytes Out" | head 1 | eval topval=c_ip | return $topval]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have run the first search, I am now being returned with the error "Error in 'eval' command: The number is invalid.", what does this mean?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's type of the value is string then you need to format it:
| eval top=[search | eval MB_in=bytes_out/1024/1024 | stats sum(MB_in) by c_ip | rename sum(MB_in) as "Total Megabytes Out" | sort -"Total Megabytes Out" | head 1 | eval topval=c_ip | return $topval | format ]
you can simplify this query. Return command returns first row value by default.
| eval top=[search <subsearch_query> | stats sum(bytes_out) as "Total Bytes Out" by c_ip | sort -"Total Bytes Out" | return $c_ip | format ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing, so I now have a field called top in my main search - this is an IP. I am now trying to use this top value to filter the c_ip field. I have done this by searching for |search c_ip=top. This in not returning any results. am i filtering this in the correct way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you don't need to format, you can filter main search like this.
| search c_ip=[search <subsearch_query> | stats sum(bytes_out) as "Total Bytes Out" by c_ip | sort -"Total Bytes Out" | return $c_ip ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are the splunk god, thank you!
