Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to assign "source" during a search after a con...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-12-2020
07:56 AM
I am creating a dashboard to show all Linux command line history per user and I would like to create an input where you can type the user and if it matches anything in a case statement, it assigns a value to "source" and runs the search.
For example, I have two sources:
source=/root/.bash_history
source=/opt/splunk/.bash_history
I have a token $acct$ which holds the user that was typed in the input.
I wrote this search:
index=linux sourcetype=linux_cli
| eval search_source=case($acct$ == root, "/root/.bash_history", $acct$ == splunk, "/opt/splunk/.bash_history")
| search source=search_source
But this returns no results. How can I do this assignment during search?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-12-2020
08:09 AM
Try this:
index=linux sourcetype=linux_cli
| eval search_source=case("$acct$" == "root", "/root/.bash_history", "$acct$" == "splunk", "/opt/splunk/.bash_history")
| where match(source, search_source)
OR use match:
index=linux sourcetype=linux_cli
| eval search_source=case(match("$acct$", "root"), "/root/.bash_history", match("$acct$", "splunk"), "/opt/splunk/.bash_history")
| where match(source, search_source)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-12-2020
08:09 AM
Try this:
index=linux sourcetype=linux_cli
| eval search_source=case("$acct$" == "root", "/root/.bash_history", "$acct$" == "splunk", "/opt/splunk/.bash_history")
| where match(source, search_source)
OR use match:
index=linux sourcetype=linux_cli
| eval search_source=case(match("$acct$", "root"), "/root/.bash_history", match("$acct$", "splunk"), "/opt/splunk/.bash_history")
| where match(source, search_source)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-12-2020
10:29 AM
Neither of these worked. Just to test I'm using literal text (instead of tokens) and running it in a search. The time is set for "All Time" and there were not results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-12-2020
10:39 AM
Updated answer, check now. If not working post some samples of source from your data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-12-2020
10:50 AM
They both work if you place double quotes around the token:
"$acct$" == "root"
Edit your response for any one else who ends up running into this. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-12-2020
10:54 AM
That's great! I updated my answer. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
03-12-2020
08:09 AM
@ricotries
Can you please try this?
index=linux sourcetype=linux_cli
| eval act=$acct$
| eval search_source=case(act="root", "/root/.bash_history", act="splunk", "/opt/splunk/.bash_history")
| where source=search_source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ricotries
Communicator
03-12-2020
10:24 AM
This did not work. It's not throwing any errors, it's just not returning anything.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
What Is Splunk? Here’s What You Can Do with Splunk
Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...
Level Up Your .conf25: Splunk Arcade Comes to Boston
With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...
