All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Use variables in 'search' command?

ggranum
Engager
‎08-23-2023 05:23 AM

I am trying to do something in a rather complex search, but I believe I can map it down to the following.

I would like to use variable expansion or other (preferably simple) magic to recreate this query:


index=xyz severity=WARN ("This" OR "That")

So something like


index=xyz severity=WARN
| eval foo="This" 
| eval bar="That"
| search ($foo$ OR $bar$)


There is a caveat that much later in the query I'd also need to filter on

A_FieldValue="*$foo$*"


( I am aware of the performance penalty of wildcard prefixes)

 

----

 

Possibly presenting a more specific (less contrived, but still contrived) example would help me find alternate answers:

 

How would one go about crafting a query to find log messages that contain the current e.g. year month day, as of the time of execution of the query?

index=xyz severity=WARN
| eval mentionsThisMonth=strftime(_time,"%Y.%m")
| search "$mentionsThisMonth$*

At this point I'm assuming I'll have to regex into a field and then compare the field to the calculated variable. Better (More performant, less memory and CPU hungry) solutions would be most welcome. 

 

Note: I am absolutely NOT interested in how to use date ranges. Which is all you find when you try to google anything to do with 'search' and 'date' as concepts together. I mean literally that there is a date-like thing in the raw log that isn't quite date-like enough to be automatically parsed out into a field.  



Thanks much,

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ggranum
Engager
‎08-23-2023 08:24 AM

Please see the now-edited original post. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 08:29 AM

Try this

index=xyz severity=WARN [| makeresults | eval query=strftime(_time,"%Y.%m") | table query]
0 Karma
Reply

ggranum
Engager
‎08-23-2023 08:40 AM

Thank you, that's interesting info. Unfortunately after double checking on the performance limits of sub-searches, I am quite sure we're well outside the limits (one minute/10K events in result)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 08:43 AM

The subsearch shown only returns 1 event and it would do that very quickly. Are you referring to a different subsearch?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-23-2023 06:45 AM

Hi

Splunk haven't variables on SPL.

If you really need this you need to use subquery on our 

index=xyz severity=WARN 
[ <your query returns "This" OR "That">]

but you couldn't use result of this again as A_FieldValue = ... You should write that subquery again with little bit different result.

But if you are doing this on dashboard then you probably could do it with tokens? Another option could be use map command, but usually it's not so efficient that it's good for anything bigger searches etc.

r. Ismo 

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2023 05:45 AM

What do you mean by "variable expansion"?

Why can't you just do

index=xyz severity=WARN ("This" OR "That")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...