Splunk Search

Why can't I do an eval with a rest call in a subsearch?

nick405060
Motivator

Hi there,

I'm trying to add a column to my base search that is the user currently logged into Splunk. This is a code snippet I'll call REST:

search index=_internal [ rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)=="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user

I can eval to the code snippet, if it's not a subsearch:

| makeresults | eval user=[<REST>]

However, I cannot eval to the code snippet as a subsearch:

<search base="all">
    <query>
| eval user= [<REST>] | table *
    </query>

It just tells me:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

I don't have the problem if I do the exact same thing but change the code snippet so that it doesn't involve a rest call.

0 Karma
1 Solution

cmerriman
Super Champion

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

View solution in original post

nick405060
Motivator

I also tried this using a left join as a pseudo eval... and it still doesn't work. I think that search index=_internal \[ rest /services/authentication/current-context/context | fields + username] just hates being inside other brackets no matter if it's a left join or eval

0 Karma

cmerriman
Super Champion

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

nick405060
Motivator

Okay awesome, got it! I'm not sure if you meant I should create a token in the base search that I should use in the subsearch (I think that's what you meant), which is what I mentioned in my previous comment as still not working.

However, if I create a third "hidden" search that is JUST the rest call, then I can use that token in the subsearch. So basically the order Splunk processes the data is, rest_search (creating token) -> base_search -> subsearch (uses token)

0 Karma

nick405060
Motivator

Interesting, when I saw your answer I got excited because it definitely seems like that would fix it. However, if I do what you described and move REST to the base search and create a token, then I get the same error in the base search. Just like before, if I edit the REST code snippet so that it no longer involves a rest call, then I no longer get the error.

Since the REST code snippet works by itself, there must be something going on in my base search that somehow makes it not work.... I have no idea what it could be. My base search is only inputcsvs, index searches, and joins.

0 Karma

cmerriman
Super Champion

Can you share your xml? This works on my test dashboard. What version are you on? What capabilities does your role/user have?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...