×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
mohebtalukder
New Member
Member since: ‎03-19-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-19-2015
Topics I've Started
No posts to display.
View All

Re: When I run a search by itself, it works fine, ...

by in Splunk Search
‎07-13-2016 03:24 PM
‎07-13-2016 03:24 PM
Below search works: index=_* | eval SPLITid=[search index=_audit | eval tempid=substr(id,2,5) | return $tempid] | table SPLITid But next one did not work for me when I changed the field name: index=_* | eval SPLITid=[search index=_audit | eval tempid=substr(source,2,5) | return $tempid] | table SPLITid So, I will suggest you to lookinto substr command. Put it in between " " like below: "substr(source,2,3)" Working search: index=_* | eval SPLITid=[ search index=_audit | eval tempid="substr(source,2,3)" | return $tempid] | table SPLITid I hope you will find it helpful!! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM