topic Re: Eval command in Splunk Search

Eval command

splunklearner — Wed, 05 Feb 2025 12:05:27 GMT

Hello,

We have separate indexes created for non-prod and prod.

Sample index name :

sony_app_XXXXXX_non_prod - for non-prod env

sony_app_XXXXXX_prod - for prod env

XXXXX are Application ID numbers (different) and we have different indexes as well (along with non-prod and prod).

I want a field called env which should pick index details like for all non-prod indexes, the env should be Non-Prod and for Prod indexes, env should be Prod.

Given below command

index=sony* |eval env= if(index="*non_prod*", "Non-Prod", "Prod"). This will not work for Prod because we have different indexes as well which not include either non_prod or prod.

but it is giving all values as Prod in env.

Kindly help me with the solution to achieve this.

Re: Eval command

PickleRick — Wed, 05 Feb 2025 12:04:59 GMT

eval env= if(index="*non_prod*", "Non-Prod", "Prod")

This won't work. At least not the way you want it to.

Your condition tries to match the index to the literal value of *non_prod*. Since index name cannot contain asterisks this condition will never evaluate to true.

You need to use one of the other comparison functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

Suitable candidates:

like()

match()

searchmatch()

Re: Eval command

splunklearner — Wed, 05 Feb 2025 12:15:01 GMT

@PickleRick giving this getting error...

Re: Eval command

splunklearner — Wed, 05 Feb 2025 12:37:03 GMT

Re: Eval command

PickleRick — Wed, 05 Feb 2025 12:44:23 GMT

OK. Back up a little. Read the descriptions for those functions. In detail.

searchmatch() needs a string containing normal search condition(s). That means that you could use it like this:

searchmatch("index=\"*prod*\"")

As you can see - you need to escape the inner quotes if your search terms contain them.

The match() function expects a regex so you can't use simple wildcards.

match(index,".*prod.*")

The like() function uses SQL-like matching so you'd use % as wildcard.

like(index,"%prod%")

Re: Eval command

splunklearner — Wed, 05 Feb 2025 14:38:50 GMT

Hi @PickleRick , I tried but I am unable to create SPL query can you please help me with the accurate query?

Re: Eval command

yuanliu — Fri, 07 Feb 2025 08:49:47 GMT

There are many ways to do this, but using if function is perhaps my last choice. Try this:

| rex field=index "_(?<app_id>\w+?)_(?<environment>(non_)*prod)"

Here is an emulation for you to play with and compare with real data.

| makeresults format=csv data="index sony_app_XXXXXX_non_prod sony_app_XXXXXX_prod sony_app_123456_non_prod sony_app_xyzabc_prod" ``` the above emulates index = sony_* ```

Output from this emulation is

app_id	environment	index
app_XXXXXX	non_prod	sony_app_XXXXXX_non_prod
app_XXXXXX	prod	sony_app_XXXXXX_prod
app_123456	non_prod	sony_app_123456_non_prod
app_xyzabc	prod	sony_app_xyzabc_prod

Hope this helps.