Splunk Search

How to return a single value from a subsearch into eval

Sloefke
Path Finder

Hi,

I'm trying to calculate a value through some lookup statements and then put that value into a variable using eval. I've been googling and reading documentation for a while now and "return" seems the way to go, but I can't get it to work.

Basically what I want to do is:

somesearch | eval somevar=[ subsearch | lookup | return $lookupresult ]

But whatever I try, I never get the "somevar" field in my resulting events.

I tried boiling it down to a very simple dummy query to test this, but even this does not return any "aatest" field in the resulting event:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

As I understand it, this should just return the "aatest" field with value "test" in the 1 resulting event, no?

Thanks!

Tags (3)
1 Solution

Sloefke
Path Finder

Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]

View solution in original post

Sloefke
Path Finder

Problem solved (thanks to distributor support)! To pass strings, the quotes need to be added to the variable in the subsearch (which makes sense thinking of it):

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"test\"" | return $ip ]

mhergh
Explorer

weird, the solution didn't worked out for me; it returned the string "ip" instead of the expected ip field value.

But this slightly adapted variant worked for me: 

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="\"" + test + "\"" | return $ip ]
0 Karma

evelenke
Contributor

Another hint ... | return $ip | format ]

stephanefotso
Motivator

surprising! I think it should work. Here s an example which is working perfectly

index=_internal |eval aaa=[search index=_internal sourcetype="splunkd"|head 1|eval c2="45555"|return $c2]

or

index=_internal |eval aaa= 1 + [search index=_internal sourcetype="splunkd"|stats count as c1|return $c1]|table aaa
0 Karma

Sloefke
Path Finder

Your 2 tests worked for me as well, so I started looking a bit. Seems the only difference is the value of the returned variable, where you use an integer and I use a string. And indeed, this does work:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="123" | return $ip ]

while this still doesn't:

index=main | head 1 | eval aatest=[ search index=main | head 1 | eval ip="test" | return $ip ]

What the? return should be able to return strings, no? 😕

Edit: my guess is that the return search does return a string, but it can't be mapped into the "aatest" variable without quotes? Now to try to fix that ...

0 Karma

stephanefotso
Motivator

hum! That's a really problem! i'm troubleshooting the issue.

0 Karma

Sloefke
Path Finder

I've been searching some more as well, but I can't find a way to 'convert' the subsearch to something eval would recognize as a string 😕

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...