topic Re: Define & use variable in same search in Splunk Search

Define & use variable in same search

Filomenka — Mon, 13 Jul 2020 14:17:02 GMT

Hello, fellow splunkers!

I am trying to find a search string where I could define a variable & then use it in the same search.
Example:

var1=some_value; var2=some_value; | index="$var1-app01-$var2" OR index="$var1-app02-$var2" OR index="$var1-app03-$var2" "error" OR "severe"

Our current Splunk setup has too many indexes per customer/environment & this little feature would help a lot with unifying the searches.

I tried to browse the web/this forum and unfortunately did not find this or a similar issue.

Any help is appreciated, thank you!

Re: Define & use variable in same search

richgalloway — Mon, 13 Jul 2020 14:32:35 GMT

Splunk doesn't have the concept of variables. Sometimes a field can be used as a variable, however, or you can use a macro. Please explain more about "unifying the searches" so we can suggest the best method for you.

Re: Define & use variable in same search

Filomenka — Tue, 14 Jul 2020 09:17:19 GMT

Well, that is unfortunate, since the variable part would solve this issue.

We have x-customers, y-applications per customer & 3-6 environments per customer.

Indexes share the same naming convention:
index=<$customer>-<$app01>-<$environment>

We have 10+ applications, 3-6 environments per customer & every search is a hard-coded index with customer-app-evironment.

We have a dashboard per customer created with specific searches but for ad-hoc debugging this is my personal go-to (splunk search) for filtering interesting data.

The reason for this post was to create an "ultimate one-line" search, where only 2 parts of the data would change (input for the search => variable).

I am not sure this is the right approach, but it definitely looks like the easiest.

Re: Define & use variable in same search

richgalloway — Tue, 14 Jul 2020 12:39:44 GMT

Thanks for the explanation.
Perhaps you could put the search into a dashboard and have selectors at the top to choose the index. Those selectors would become tokens in the search.

Re: Define & use variable in same search

Filomenka — Wed, 15 Jul 2020 05:39:09 GMT

As mentioned I already have dashboards in place with the needed filters:

Trying to think this through - can I add a "custom field" (type string) which would be used as an additional filter (in the screenshot)?
This way I could achieve the same thing you mentioned (dashboard with selectors) + the custom field & it would solve the issue.

BTW Thank you for your time & effort @richgalloway , I really appreciate it.

Re: Define & use variable in same search

richgalloway — Wed, 15 Jul 2020 12:26:06 GMT

Yes, that should work.

Re: Define & use variable in same search

Filomenka — Wed, 15 Jul 2020 13:41:48 GMT

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark"> <label>debug-dashboard-beta</label> <description>closeml debug</description> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time"> <label>Time range</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Customer"> <label>Customer</label> <choice value="*">ALL</choice> <choice value="abc">ABC</choice> <choice value="123">123</choice> <choice value="xyz">XYZ</choice> </input> <input type="dropdown" token="Environment"> <label>Environment</label> <choice value="*">ALL</choice> <choice value="prod">prod</choice> <choice value="acc">acc</choice> <choice value="test">test</choice> <choice value="dev">dev</choice> </input> <input type="dropdown" token="Label"> <label>Label</label> <selectFirstChoice>true</selectFirstChoice> <choice value="">No label</choice> <choice value="b">b</choice> <choice value="c">c</choice> </input> <input type="text" token="custom_search"> <label>Custom search</label> <default>"0200 error" OR "0200 severe"</default> </input> </fieldset> <row> <panel> <event> <search> <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="count">20</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="maxLines">5</option> <option name="raw.drilldown">full</option> <option name="rowNumbers">0</option> <option name="table.drilldown">all</option> <option name="table.sortDirection">asc</option> <option name="table.wrap">1</option> <option name="type">list</option> </event> </panel> </row> </form>

Re: Define & use variable in same search

richgalloway — Wed, 15 Jul 2020 15:13:14 GMT

If your problem is resolved, then please click a "Accept as Solution" button to help future readers.