Splunk Search
Highlighted

for every command we filter fields and giving few fields to the next command, why eval gives all fields to the next command

Communicator

index=* sourcetype=history browser=chrome | eval name="raj" giving output as many fields like sourecetype, browser, host etc...

index=* sourcetype=history browser=chrome |table sourcetype gives only sourcetype

is there any command like eval

Tags (2)
0 Karma
Highlighted

Re: for every command we filter fields and giving few fields to the next command, why eval gives all fields to the next command

SplunkTrust
SplunkTrust

The initial search gives all fields to eval, and eval adds one field to that set.
You can combine commands like this:

index=* sourcetype=history browser=chrome | table sourcetype | eval name="raj"

View solution in original post