Splunk Search

assign value from subsearch to outer search eval

joydeep741
Path Finder

I want to get a value from subsearch assigned to outer search.

I am trying like this
index=OUTER sourcetype=OUTER_ST | eval value = [search index=INNER sourcetype=INNER_ST |eval x=10 |return $x ]

But this gives me
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

How to resolve this ?

Tags (2)
0 Karma

HiroshiSatoh
Champion

Because the return value is a string, you can not do it?
How about this?

 index=OUTER sourcetype=OUTER_ST | eval value = [search index=INNER sourcetype=INNER_ST |eval x="\"10\"" |return $x ]
0 Karma

joydeep741
Path Finder

does it matter if the inner search is searching a different index than outer search ?

I am still getting
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression

0 Karma

HiroshiSatoh
Champion

If the value is numeric, it behaves like a sample.
This error is simply because the sub search result is 0.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...