Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I do an eval with a rest call in a subsearch?

nick405060
Motivator
‎11-29-2018 02:53 PM

Hi there,

I'm trying to add a column to my base search that is the user currently logged into Splunk. This is a code snippet I'll call REST:

search index=_internal [ rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)=="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user

I can eval to the code snippet, if it's not a subsearch:

| makeresults | eval user=[<REST>]

However, I cannot eval to the code snippet as a subsearch:

<search base="all">
    <query>
| eval user= [<REST>] | table *
    </query>

It just tells me:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

I don't have the problem if I do the exact same thing but change the code snippet so that it doesn't involve a rest call.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎11-29-2018 03:36 PM

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

View solution in original post

Reply
Solved! Jump to solution

nick405060
Motivator
‎11-29-2018 04:15 PM

I also tried this using a left join as a pseudo eval... and it still doesn't work. I think that search index=_internal \[ rest /services/authentication/current-context/context | fields + username] just hates being inside other brackets no matter if it's a left join or eval

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎11-29-2018 03:36 PM

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>
Reply
Solved! Jump to solution

nick405060
Motivator
‎11-29-2018 04:27 PM

Okay awesome, got it! I'm not sure if you meant I should create a token in the base search that I should use in the subsearch (I think that's what you meant), which is what I mentioned in my previous comment as still not working.

However, if I create a third "hidden" search that is JUST the rest call, then I can use that token in the subsearch. So basically the order Splunk processes the data is, rest_search (creating token) -> base_search -> subsearch (uses token)

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎11-29-2018 03:55 PM

Interesting, when I saw your answer I got excited because it definitely seems like that would fix it. However, if I do what you described and move REST to the base search and create a token, then I get the same error in the base search. Just like before, if I edit the REST code snippet so that it no longer involves a rest call, then I no longer get the error.

Since the REST code snippet works by itself, there must be something going on in my base search that somehow makes it not work.... I have no idea what it could be. My base search is only inputcsvs, index searches, and joins.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎11-29-2018 04:22 PM

Can you share your xml? This works on my test dashboard. What version are you on? What capabilities does your role/user have?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...