Hi dhruv101,
simply switch the searches, so that your sub search returns the eval result to the base search.
Try this run everywhere example, which will not any result:
index=_*
[ search index=_audit
| stats count by sourcetype
| sort - count
| head 5
| eval foo=case(count > 1000, "lots", count < 1000, "less", 1=1, "unknown")
| table foo
| format ]
But looking at the litsearch in job inspector you can see that foo was used in the base search 😉
litsearch (index=_* foo="lots") | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Hope this helps ...
cheers, MuS
... View more