I'm trying to add a column to my base search that is the user currently logged into Splunk. This is a code snippet I'll call REST:
search index=_internal [ rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)=="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user
I can eval to the code snippet, if it's not a subsearch:
| makeresults | eval user=[<REST>]
However, I cannot eval to the code snippet as a subsearch:
<search base="all"> <query> | eval user= [<REST>] | table * </query>
It just tells me:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
I don't have the problem if I do the exact same thing but change the code snippet so that it doesn't involve a rest call.
what if you created a token with the search?
<search> <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query> <done> <set token="user">results.user</set> </done> </search>
and then in your other panel:
<search base="all"> <query> | eval user= $user$| table * </query>
Interesting, when I saw your answer I got excited because it definitely seems like that would fix it. However, if I do what you described and move REST to the base search and create a token, then I get the same error in the base search. Just like before, if I edit the REST code snippet so that it no longer involves a rest call, then I no longer get the error.
Since the REST code snippet works by itself, there must be something going on in my base search that somehow makes it not work.... I have no idea what it could be. My base search is only inputcsvs, index searches, and joins.
Can you share your xml? This works on my test dashboard. What version are you on? What capabilities does your role/user have?
Okay awesome, got it! I'm not sure if you meant I should create a token in the base search that I should use in the subsearch (I think that's what you meant), which is what I mentioned in my previous comment as still not working.
However, if I create a third "hidden" search that is JUST the rest call, then I can use that token in the subsearch. So basically the order Splunk processes the data is, restsearch (creating token) -> basesearch -> subsearch (uses token)
I also tried this using a left join as a pseudo eval... and it still doesn't work. I think that
search index=_internal \[ rest /services/authentication/current-context/context | fields + username] just hates being inside other brackets no matter if it's a left join or eval