Splunk Search

not editable fields

sfatnass
Contributor

hi everybody,

i'm try to conserve content field value but i don't understand how i can.

in my search :
index=A OR index=B
initial : field1 is here
<here i'm using filtering with regex and dbquery>
after that i get filtered (field1) = field2
but if i want to reuse the initial value of field1 i should to use join or append [index=A OR index=B field1]
how can i reuse the initial field1 without join or append.

ps : i tryed to use eval newfield=field1 but it don't work the newfield does not remain as it is
i'm thinking about kvstore but if i can use a special commands it will be great
thx

Tags (2)
0 Karma

DavidHourani
Super Champion

Could you please post the regex you are using ? are you applying the regex on the raw data ? because if thats the case even if you recreate the field it would still get modified.. make sure you apply it on the specific field.

0 Karma

chimell
Motivator

Hi sfatnass

Retry with multisearch command which Run multiple searches at the same time.
See it syntax

| multisearch <subsearch1> <subsearch2> <subsearch3> ...

For you case try to use

|multisearch [search index=A OR index=B |eval field1=field2][search index=A OR index=B |fields field1]............

Tell if it works like you want

0 Karma

sfatnass
Contributor

chimell the index A can't match with index B

for index A i have a field and i try to get a newfield like
|eval newfieldA=fieldA

the fieldA will be filtered by many dbquery
but i want to reuse newfieldA like it was before filtering.

0 Karma

chimell
Motivator

Can you show me your search code ?
field1 below to which index ?

0 Karma

sfatnass
Contributor

oh sorry i can't show you my code it's not public values

0 Karma

chimell
Motivator

Ok without problem but see my new answer above

0 Karma

stephanefotso
Motivator

Hello! The only way to use the initial value of field1 it is to use the eval or a subsearch.
And if you use eval, do something like this: |eval newfield=field1, and not |aval field1=newfield, because it will change the initial value of field1.

Thanks

SGF
0 Karma

sfatnass
Contributor

i just want to reuse a field as it was before being filtered

0 Karma

sfatnass
Contributor

i use |eval newfield=field1 but newifield change where is aval ????

0 Karma

stephanefotso
Motivator

I do not know if I've understood very well your problem. field1 is not the field you want to reuse? Because |eval newfield=field1 will not change de value of field1, But the value of newfield will be the value of field1.

SGF
0 Karma

sfatnass
Contributor

but i want to conserve the integral values in my new fields

0 Karma

stephanefotso
Motivator

That is what you have to know. If you want to reuse the initial value of a field in your search query, do not assign to that field a value, before the use of the field. For example:
Let suppose that you have a field named field1, and that, initially field1=10.
Then in your search query, if you do something like this: ...|eval field1=50|eval field2=field1+5|table field1 field2
result:

field1 field2
50 55

As you can see, the initial value of field1 has change, and that is why field2=55.

But if you do like this: ...|eval field2=field1|eval field3=field1+5|table field1 field2 field3
result:
field1 field2 field3
10 10 15
Here the initial value of field1 did not change, and t that is why you have field3=15

Thanks

SGF
0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...