topic Re: Save value into a variable in Splunk Search

Save value into a variable

Naaba — Fri, 30 Dec 2016 13:45:39 GMT

Hi,

I use Talend Open Studio to collect data on Gitlab (via Gitlab API) and send them to Splunk.

As Gitlab continually has new data over time, I want to save the pull position. So at the next pull I will pull only the new data.

Is it possible to create a variable on Splunk, save a value on this variable, and update the variable?
If it is possible to create a variable on Splunk, is it possible to make (HTTP?) request to Splunk to retrieve the value of a variable?

Thank you for your answer

Re: Save value into a variable

skoelpin — Fri, 30 Dec 2016 14:51:24 GMT

By variable you mean a field right? If so then you will need to write a regular expression to capture the values for your field. Post some sample data and what you want to capture

If you already have a field defined and you want to create a variable in your search, you will then need to use eval

https://answers.splunk.com/answers/71194/declare-a-variable-in-search-string.html

Re: Save value into a variable

Naaba — Fri, 30 Dec 2016 15:13:08 GMT

Hi Skoelpin,

I send data in JSON format to splunk :

{
     event: test
     description: splunk test   
     issue_id: 1
     updated_at: 2016-01-04T15:31:39.996Z
}

I have two serveurs : One server with my script and the second one with Splunk
I want to make request to Splunk from my first server to retrieve/update the value save in "updated_at".
Is it possible?

Re: Save value into a variable

skoelpin — Fri, 30 Dec 2016 18:52:12 GMT

So you want to capture the value from updated_at: and send that value to another server?

If so then you should create a field to capture the value, here's the regex to do so

updated_at\:\s(?<UpdatedTime>\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+Z)

The field will be called UpdatedTime and have many values..

You can then create a Splunk alert anytime this field has a new value and trigger a script which can make a update the value

Re: Save value into a variable

Naaba — Wed, 11 Jan 2017 14:28:20 GMT

Sorry for the late. Thank you very much for your answer.

Re: Save value into a variable

skoelpin — Thu, 12 Jan 2017 15:57:15 GMT

@Naaba , if this answered your question, can you please accept it?