Hi,
I'm trying to calculate a value through some lookup statements and then put that value into a variable using eval. I've been googling and reading documentation for a while now and "return" seems the way to go, but I can't get it to work.
Basically what I want to do is:
somesearch | eval somevar=[ subsearch | lookup | return $lookupresult ]
But whatever I try, I never get the "somevar" field in my resulting events.
I tried boiling it down to a very simple dummy query to test this, but even this does not return any "aatest" field in the resulting event:
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]
As I understand it, this should just return the "aatest" field with value "test" in the 1 resulting event, no?
Thanks!
Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]
Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]
weird, the solution didn't worked out for me; it returned the string "ip" instead of the expected ip field value.
But this slightly adapted variant worked for me:
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"" + test + "\"" | return $ip ]
Hi
this is the way if you want to return value of some field from inner search. It seems that it excepting those " marks outside of value.
r. Ismo
Another hint ... | return $ip | format ]
surprising! I think it should work. Here s an example which is working perfectly
index=_internal |eval aaa=[search index=_internal sourcetype="splunkd"|head 1|eval c2="45555"|return $c2]
or
index=_internal |eval aaa= 1 + [search index=_internal sourcetype="splunkd"|stats count as c1|return $c1]|table aaa
Your 2 tests worked for me as well, so I started looking a bit. Seems the only difference is the value of the returned variable, where you use an integer and I use a string. And indeed, this does work:
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="123" | return $ip ]
while this still doesn't:
index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]
What the? return should be able to return strings, no? 😕
Edit: my guess is that the return search does return a string, but it can't be mapped into the "aatest" variable without quotes? Now to try to fix that ...
hum! That's a really problem! i'm troubleshooting the issue.
I've been searching some more as well, but I can't find a way to 'convert' the subsearch to something eval would recognize as a string 😕