topic Re: search using a variable as condition in Splunk Search

search using a variable as condition

snemiro_514 — Mon, 28 Sep 2020 17:36:53 GMT

Hola Splunkers,

I want to consolidate two dynamic drilldowns in a table. Each drilldown is passing the same token $token$, and my table should display the relevant events (all the events come from the same source)

I'm trying to keep things simple, and I'm very close to make it work.

My 1st problem is: I coudn't find a simple way to verify is the $token$ has a default value or has a "legal" value. (isnull ie)

So, I've decided to use the same variable for both graphs....$type_tok$, which leads to my 2nd problem. I cannot execute a search with a condition in a variable.

From the graph#1, the values in the token are: "SUCCESS", "ERROR", "UNDEF". (A value in the field Response)
From the graph #2, the values are: A01, D03, F05 (always number in the 2nd position) (A value in the field Result)

So I'm trying to distinguish between the two sources, checking if the 2nd character in the token is a number, so in my table, Im trying something like:

...| eval condition=if(isint(substr($type_tok$,2,1)), "Response=$type_tok$", "Result=$type_tok$")| search condition | table _time, Id, error, Type, EndTime

But of course, it doesn't work. The eval fails, and the search never works.

I tried a simple search with a variable with and without $, but I couldn't make it work.
... | eval test="Respons=SUCCESS" | search $test$

I know it is possible to trigger saved search, but I prefer not to do it.

Any advice?

Re: search using a variable as condition

martin_mueller — Wed, 17 Sep 2014 23:09:41 GMT

You can move your if() expression into an eval-based macro and use that in your main search:

some key words `your_if_macro("$type_tok$")` | table ...

The macro is evaluated once before the search runs, and the string returned by the if() expression is inserted into the search string. Hence you can calculate both the field name and field value you're filtering for!

Re: search using a variable as condition

nekbote — Tue, 02 Jun 2015 02:14:10 GMT

Was this ever resolved...is there a solution?

Re: search using a variable as condition

nekbote — Mon, 08 Jun 2015 23:04:08 GMT

Hi Martin,

thank you for the response, in my case i needed to use case as i have more than 4 conditions to look at and then determine the value. However i was able to get around it using

....| where eval xyz=Case()| table...

thanks!

Re: search using a variable as condition

martin_mueller — Thu, 11 Jun 2015 21:50:36 GMT

case() will work in eval-based macros as well.

Re: search using a variable as condition

nekbote — Fri, 12 Jun 2015 23:24:15 GMT

Thanks Martin!!