Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass the values of an evaluated field into a summary index with collect?

rcorfield
Explorer
‎07-11-2018 08:45 AM

Hi

I am trying to adjust an existing process which collects results of a query into a summary index. What I'm trying to do is add a new evaluated field and pass it into the summary index. I've been looking at the 'marker' option to 'collect', but that passes a string directly rather than the value of the field. Is there any way to pass the value of the field?

This is roughly what I'm trying:

index=<index> <query>
   | eval score1 = if(<subquery1>, 1, 0)
   | eval score2 = if(<subquery2>, 1, 0)
   | eval score_total = score1 + score2
| collect index=<summary_index> marker="score_total=score_total"

I was naively hoping that the 'score_total' field in the summary index (which now exists) would hold the evaluated numeric value, but unfortunately (for me) it contains the string 'score_total'.

Is there any way to achieve what I'm trying to do here? Or some alternative?

Thanks in advance.

Richard

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rcorfield
Explorer
‎07-12-2018 03:46 AM

In the end I was able to solve my problem with the help of a similar question that had been asked previously:
https://answers.splunk.com/answers/224003/why-am-i-not-able-to-get-any-dynamic-content-using.html

I added the content I needed to the _raw field and this was then available as a field in the summary index:

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval score_total = score1 + score2
    | eval _raw=_raw.", score_total=".score_total
 | collect index=<summary_index>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rcorfield
Explorer
‎07-12-2018 03:46 AM

In the end I was able to solve my problem with the help of a similar question that had been asked previously:
https://answers.splunk.com/answers/224003/why-am-i-not-able-to-get-any-dynamic-content-using.html

I added the content I needed to the _raw field and this was then available as a field in the summary index:

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval score_total = score1 + score2
    | eval _raw=_raw.", score_total=".score_total
 | collect index=<summary_index>
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2018 05:28 AM

@rcorfield If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-11-2018 08:16 PM

Why not just this?

 index=<index> <query>
    | eval score1 = if(<subquery1>, 1, 0)
    | eval score2 = if(<subquery2>, 1, 0)
    | eval marker = "score_total=" . score1 + score2
 | collect index=<summary_index>
0 Karma
Reply
Solved! Jump to solution

rcorfield
Explorer
‎07-12-2018 03:47 AM

Thanks, but unfortunately I still couldn't see score_total in the summary index using this suggestion.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-11-2018 04:42 PM

Try concatenating. See if one of these matches your needs:

 | collect index=<summary_index> marker=tostring("score_total=".score_total)

OR

 | eval score_total="score_total=".score_total)
 | collect index=<summary_index> marker=score_total
0 Karma
Reply
Solved! Jump to solution

rcorfield
Explorer
‎07-12-2018 03:50 AM

Thanks for your suggestions, but unfortunately it still wouldn't populate it with the value of the field, so instead I ended up with things like

marker="score_total".score_total

I solved it by appending my field to the _raw field in the end.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...