topic Search with a Variable in Splunk Search

Search with a Variable

JuanAntunes — Thu, 29 Apr 2021 22:06:42 GMT

Hi Team How are u?

I have a little question

I have a index with same informations,

index="epo" source="endpoint"

In this search will return a column with "JustificationText", Which contains a ticket number

And with this number I need to search in another index to get some information

Today i'm doing this way:

index="epo" source="endpoint" | rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})" | eval TicketNumber = number | dedup ViolationLocalTime IncindetId | join type=left [search index=servicenow sourcetype="snow:service_task" dv_number = TicketNumber] | table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

All the data from the first serach is coming ok but when I do a second search with the variable "TicketNumber" nothing returns to me.

If i for example, put a ticket in

| join type=left [search index=servicenow sourcetype="snow:service_task" dv_number = "REQ0000197"]

Data are brought, but the same for all events

My question is how can I do this second search using a variable?

Thanks in advance!

Re: Search with a Variable

ITWhisperer — Thu, 29 Apr 2021 22:48:27 GMT

You could try something like this - join with a common field name e.g. dv_number instead of TicketNumber

index="epo" source="endpoint" | rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})" | eval dv_number = number | dedup ViolationLocalTime IncindetId | join type=left dv_number [search index=servicenow sourcetype="snow:service_task" ] | table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

Re: Search with a Variable

JuanAntunes — Fri, 30 Apr 2021 10:19:58 GMT

Hi @ITWhisperer Thanks you for reply

But running the query the way you told me still doesn't return anything

in the events that are found the tickets, we should have the columns of the NOW table, but it is always blank

Any other suggestions? Thank you very much!

Re: Search with a Variable

ITWhisperer — Fri, 30 Apr 2021 11:35:32 GMT

I can't see any reason why it would not work. Can you try a different way of forcing the join to return the same ticket for all events?

index="epo" source="endpoint" | rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})" | eval dv_number = "REQ0000197" | dedup ViolationLocalTime IncindetId | join type=left dv_number [search index=servicenow sourcetype="snow:service_task" ] | table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location