I am trying to get value of a field from a previous scheduled savedsearch in a new field using loadjob, however unable to get it to work.
I am using something like:
index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]
wherein,
myuserid - owner id
my_app - is the application name
my_saved_search - name of the saved search that is present in savedsearches.conf & is scheduled
actor is a field name in - my_saved_search
OK. If you do
[| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]
Splunk will run the subsearch - load the saved search and return a string containing
actor=something
Which means your main search will effectively be
index=my_pers_index sourcetype=ACCT
| eval userid = actor=something
This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.
You need to return just the value from your subsearch. And for that there is a special syntax.
index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]
1. This is not a valid SPL. Please post your literal search in a code block or preformatted paragraph.
2. What do you mean "unable to work"? What results are you getting?
Apologies I am new to SPL.
My requirement is to get values of a previously run saved search in a new field in current search.
And I have only changed the names in my original search, it is what I was trying to use:
index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]
I was getting Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.
Which possibly means, the block of commands in [] is not returning a value as expected by eval. Any help on how I can get all the field values into a field in my current search would be appreciate.
OK. If you do
[| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]
Splunk will run the subsearch - load the saved search and return a string containing
actor=something
Which means your main search will effectively be
index=my_pers_index sourcetype=ACCT
| eval userid = actor=something
This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.
You need to return just the value from your subsearch. And for that there is a special syntax.
index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]
Thank you for your response.
I added $ sign in the return field ($actor), however I am still getting the below error.
Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.
If you run your subsearch on its own does it return any values?
If you meant that if I run below only:
| loadjob savedsearch="myuserid:my_app:my_saved_search"
It runs & returns 0 events as last run of the search did not return any result.
So if you have no events to extract the "actor" field value from, there is no value to substitute into main search hence the error because it effectively becomes
| eval something=
Understood. I will find a way to handle that, as my search does not return result everytime.
Thank you for your patience & help.
You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you properly return the results as string. For this you have to not just use "return" but manually craft the "search" field.
| eval userid = [ | loadjob savedsearch=user:app:search
| append [ | makeresults | eval actor="default" ]
| head 1
| return "\"".actor."\"" ]