Re: fetch host

Jasmine · ‎04-12-2024

what is the error in the below query which i am using to populate in drop down list

index=aaa(source="/var/log/testd.log") |stats count by host
| eval env=case(match(host, "*10qe*"), "Test",
match(host, "*10qe*"), "QA",
match(host, "*10qe*"), "Prod" )

gcusello · ‎04-12-2024

Hi @Jasmine ,

as @marnall said a space is missing between the index value and the source condition.

I suppose that the erro is that the argument of the match function in the eval command is a regex, so you don't need to use asterisk:

index=aaa (source="/var/log/testd.log") 
| stats count by host
| eval env=case(
   match(host, "10qe"), "Test",
   match(host, "10qe"), "QA",
   match(host, "10qe"), "Prod")

Ciao.

Giuseppe

marnall · ‎04-12-2024

Some potential problems with your query are:

1. index=aaa(source="/var/log/testd.log")
Does not have a space between the index and source filters

2. the match() functions in your eval env=case() part should have valid regexes in the second argument of the match function, as in match(<field>,<regex>). Try this:
| eval env=case(match(host, ".*10qe.*"), "Test",
match(host, ".*10qe.*"), "QA",
match(host, ".*10qe.*"), "Prod" )

ref: https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions

Jasmine · ‎04-13-2024

host is same across all the env. i am facing issue when i bind the same value to drop down list saying "Duplicate values causing conflict". But i need dropdown list with TEST/QA/PROD(label) with same host value. - how can i achieve this?

fetch host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation