Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to pass field value from search to write kind of an event in the same search using eval command?

ak9092
Path Finder
‎05-20-2022 07:38 AM

Hey Splunkers,

I am not sure if this is possible or not but what i was trying to do is something like passing the values of search in the eval command to basically form a statement or  an event .

So for example consider below search returns multiple users first name, last name and country details.

Now with that field values what i am trying to do is create a eval statement like below-

index=foo source=user_detail

|table first_name  last_name country

|eval statement = My name is "$first_name $ $last_name$ and i come from $country$

|table statement

 

But this is not passing those field values to eval statement, so anyone knows if there is a way we can do this ?

Thanks.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:04 AM

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:04 AM

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ak9092
Path Finder
‎05-20-2022 08:17 AM

That's exactly what I needed, Thanks much @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:26 AM

Hi @ak9092,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...