Solved: Re: is there a way to pass field value from search...

ak9092 · ‎05-20-2022

Hey Splunkers,

I am not sure if this is possible or not but what i was trying to do is something like passing the values of search in the eval command to basically form a statement or an event .

So for example consider below search returns multiple users first name, last name and country details.

Now with that field values what i am trying to do is create a eval statement like below-

index=foo source=user_detail

|table first_name last_name country

|eval statement = My name is "$first_name $ $last_name$ and i come from $country$

|table statement

But this is not passing those field values to eval statement, so anyone knows if there is a way we can do this ?

Thanks.

gcusello · ‎05-20-2022

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-20-2022

Hi @ak9092,

let me understand: you want to concatenatethree fields value in only one, is it correct?

if this is your need, please try this:

index=foo source=user_detail
| eval statement="My name is ".first_name." ".last_name." and i come from ".country
| table statement

Ciao.

Giuseppe

ak9092 · ‎05-20-2022

That's exactly what I needed, Thanks much @gcusello

gcusello · ‎05-20-2022

Hi @ak9092,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Is there a way to pass field value from search to write kind of an event in the same search using eval command?

fields

search job inspector

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?