topic Re: Reuse-able Pattern matching blocks for eval? in Splunk Enterprise

Reuse-able Pattern matching blocks for eval?

splunkernator — Sun, 10 Jul 2022 19:09:56 GMT

Code is easier to explain: I wanted a bunch of new categories and i found eval especially useful - here is an obfuscated example

| index=my_index CONNECTED source="/var/log/vmware/my_log.log" | eval vdi_pool=case( match(name,"1A-VDI\d{3}"), "pool1", match(name,"1B-VDI\d{3}"), "pool2", match(name,"2A-VDI\d{3}"), "pool3", match(name,"2B-VDI\d{3}"), "pool4", match(name,"3A-VDI\d{3}"), "pool5", match(name,"3B-VDI\d{3}"), "pool6", 1=1, "unclassified" ) | timechart span=1h count by vdi_pool

This made the subsequent querys super easy. Irritatingly within the dashboard, if I add a new value I need to update all of the queries - this vexes me greatly 😥

I have noticed the entire definition can be downloaded as a json doc - so Im tempted to start templating this in python - this does not seem sane - ideally I'd like to create blocks of repeatable logic I can assemble together to show different scenarios.

Anyone done anything similar to achieve this kind of capability - but more "splunkonic"?

Re: Reuse-able Pattern matching blocks for eval?

bowesmana — Mon, 11 Jul 2022 00:04:18 GMT

If this is reusable code, then it should be a macro - then if it changes, just change the macro definition and all uses of the macro will use the new definition.

Re: Reuse-able Pattern matching blocks for eval?

splunkernator — Thu, 28 Jul 2022 20:21:20 GMT

have you got any good links? else I'll just search

Re: Reuse-able Pattern matching blocks for eval?

bowesmana — Sun, 31 Jul 2022 22:08:40 GMT

https://docs.splunk.com/Documentation/Splunk/8.2.7/Knowledge/Definesearchmacros

https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Usesearchmacros