Re: not editable fields

sfatnass · ‎06-12-2015

hi everybody,

i'm try to conserve content field value but i don't understand how i can.

in my search :
index=A OR index=B
initial : field1 is here
<here i'm using filtering with regex and dbquery>
after that i get filtered (field1) = field2
but if i want to reuse the initial value of field1 i should to use join or append [index=A OR index=B field1]
how can i reuse the initial field1 without join or append.

ps : i tryed to use eval newfield=field1 but it don't work the newfield does not remain as it is
i'm thinking about kvstore but if i can use a special commands it will be great
thx

DavidHourani · ‎06-30-2015

Could you please post the regex you are using ? are you applying the regex on the raw data ? because if thats the case even if you recreate the field it would still get modified.. make sure you apply it on the specific field.

chimell · ‎06-30-2015

Hi sfatnass

Retry with multisearch command which Run multiple searches at the same time.
See it syntax

| multisearch <subsearch1> <subsearch2> <subsearch3> ...

For you case try to use

|multisearch [search index=A OR index=B |eval field1=field2][search index=A OR index=B |fields field1]............

Tell if it works like you want

sfatnass · ‎06-30-2015

chimell the index A can't match with index B

for index A i have a field and i try to get a newfield like
|eval newfieldA=fieldA

the fieldA will be filtered by many dbquery
but i want to reuse newfieldA like it was before filtering.

chimell · ‎06-30-2015

Can you show me your search code ?
field1 below to which index ?

sfatnass · ‎06-30-2015

oh sorry i can't show you my code it's not public values

chimell · ‎06-30-2015

Ok without problem but see my new answer above

stephanefotso · ‎06-12-2015

Hello! The only way to use the initial value of field1 it is to use the eval or a subsearch.
And if you use eval, do something like this: |eval newfield=field1, and not |aval field1=newfield, because it will change the initial value of field1.

Thanks

SGF

sfatnass · ‎06-30-2015

i just want to reuse a field as it was before being filtered

sfatnass · ‎06-12-2015

i use |eval newfield=field1 but newifield change where is aval ????

stephanefotso · ‎06-12-2015

I do not know if I've understood very well your problem. field1 is not the field you want to reuse? Because |eval newfield=field1 will not change de value of field1, But the value of newfield will be the value of field1.

SGF

sfatnass · ‎06-12-2015

but i want to conserve the integral values in my new fields

stephanefotso · ‎06-12-2015

That is what you have to know. If you want to reuse the initial value of a field in your search query, do not assign to that field a value, before the use of the field. For example:
Let suppose that you have a field named field1, and that, initially field1=10.
Then in your search query, if you do something like this: ...|eval field1=50|eval field2=field1+5|table field1 field2
result:

field1 field2
50 55

As you can see, the initial value of field1 has change, and that is why field2=55.

But if you do like this: ...|eval field2=field1|eval field3=field1+5|table field1 field2 field3
result:
field1 field2 field3
10 10 15
Here the initial value of field1 did not change, and t that is why you have field3=15

Thanks

SGF

not editable fields

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform