Basically, what I need to do is take some values (x, y, z) that are stored in the summary index, then for each x value, run a subsearch to find values for foo and bar, then create one record with x, y, z, foo, and bar.
Pseudo search:
index=summary earliest=01/01/2016:00:00:00 search_name= | foreach x [eval foo=[search earliest=01/01/2016:00:00:00 <> | fields foo | dedup foo | return $foo]] | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 <> | fields bar | dedup bar | return $foo]]
Where I'm running into trouble is getting eval to accept a string value from return.
A foreach/eval/subsearch works when I return a number:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar=9 | return $myvar]]
But the same combo fails to populate bar if I return a string:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar="alskdfj" | return $myvar]]
If I take out the subsearch, eval will accept the string:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar="alskdfj"]
Does anyone know why eval works in the first and third case, but not the second?
↧