Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eval IP function - help

griggsy
New Member
‎04-26-2018 01:47 AM

Hello,

I have a search woring which returns single IP addresses as source for certain events. As part of this I want to pass the source address into the eval function. I have eval working with "eval ip = "10.0.0.2" I am then passing this into a lookup table and everything is great but I want to automate this so that the results from source are automatically passed through eval IP and then matched on my lookup so that I can return additional information form the lookup.

However I can't get the eval function to use the results from the source field returned as per the search. I have tried the following:

eval IP = source
eval source as IP

I must be missing something can someone put me out my misery please?

Tags (1)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-26-2018 05:20 AM

Whenever you use eval and you want to pass a field into it, you must have single tic's around the field value.

So if you wanted IP to be source, it would look like this

| eval IP='source'

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...