Splunk Search

Why can't I do an eval with a rest call in a subsearch?

nick405060
Motivator

Hi there,

I'm trying to add a column to my base search that is the user currently logged into Splunk. This is a code snippet I'll call REST:

search index=_internal [ rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)=="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user

I can eval to the code snippet, if it's not a subsearch:

| makeresults | eval user=[<REST>]

However, I cannot eval to the code snippet as a subsearch:

<search base="all">
    <query>
| eval user= [<REST>] | table *
    </query>

It just tells me:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

I don't have the problem if I do the exact same thing but change the code snippet so that it doesn't involve a rest call.

0 Karma
1 Solution

cmerriman
Super Champion

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

View solution in original post

nick405060
Motivator

I also tried this using a left join as a pseudo eval... and it still doesn't work. I think that search index=_internal \[ rest /services/authentication/current-context/context | fields + username] just hates being inside other brackets no matter if it's a left join or eval

0 Karma

cmerriman
Super Champion

what if you created a token with the search?

<search>
    <query>index=_internal [ |rest /services/authentication/current-context/context | fields + username] | rename username as user | dedup user | search user != "splunk-system-user" | head 1 | eval user=if(substr(user,1,3)="sa_",substr(user,4,8),user) | eval user="\"".substr(user,1,4)."\"" | return $user</query>
    <done>
    <set token="user">results.user</set>
    </done>
  </search>

and then in your other panel:

<search base="all">
     <query>
 | eval user= $user$| table *
     </query>

nick405060
Motivator

Okay awesome, got it! I'm not sure if you meant I should create a token in the base search that I should use in the subsearch (I think that's what you meant), which is what I mentioned in my previous comment as still not working.

However, if I create a third "hidden" search that is JUST the rest call, then I can use that token in the subsearch. So basically the order Splunk processes the data is, rest_search (creating token) -> base_search -> subsearch (uses token)

0 Karma

nick405060
Motivator

Interesting, when I saw your answer I got excited because it definitely seems like that would fix it. However, if I do what you described and move REST to the base search and create a token, then I get the same error in the base search. Just like before, if I edit the REST code snippet so that it no longer involves a rest call, then I no longer get the error.

Since the REST code snippet works by itself, there must be something going on in my base search that somehow makes it not work.... I have no idea what it could be. My base search is only inputcsvs, index searches, and joins.

0 Karma

cmerriman
Super Champion

Can you share your xml? This works on my test dashboard. What version are you on? What capabilities does your role/user have?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...