eval IP function - help

griggsy · ‎04-26-2018

Hello,

I have a search woring which returns single IP addresses as source for certain events. As part of this I want to pass the source address into the eval function. I have eval working with "eval ip = "10.0.0.2" I am then passing this into a lookup table and everything is great but I want to automate this so that the results from source are automatically passed through eval IP and then matched on my lookup so that I can return additional information form the lookup.

However I can't get the eval function to use the results from the source field returned as per the search. I have tried the following:

eval IP = source
eval source as IP

I must be missing something can someone put me out my misery please?

skoelpin · ‎04-26-2018

Whenever you use eval and you want to pass a field into it, you must have single tic's around the field value.

So if you wanted IP to be source, it would look like this

| eval IP='source'

eval IP function - help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

eval IP function - help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026