- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , index_2 , index_3
Based on the selected index, I am trying to run the splunk query:
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern
the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results
index="index_1"
| search hostname= "*-hostname_1"
For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2)
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern
returns *-hostname_1
Not sure how do we pass the hostname value based on selected index for search.
Highly appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why did you do that? It's not what I suggested in my reply.
I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.
| where like(hostname, hostname_pattern)Be aware that like uses "%" as a wildcard rather than "*".
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search command doesn't accept a field name on both sides of an expression. Use where, instead.
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| where hostname= hostname_pattern
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @richgalloway for your response.
I tried with
| where hostname like hostname_patternalso
| where hostname like hostname_patternits not returning any search results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why did you do that? It's not what I suggested in my reply.
I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.
| where like(hostname, hostname_pattern)Be aware that like uses "%" as a wildcard rather than "*".
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway thanks. It worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd also assume that since you wanted hostname _pattern_ simple equality check won't do.
In such case you should use match() or searchmatch() as your where condition. It's also worth pointing out that this search will most likely be more performance-intensive than it needs to be and might be better done differnetly.
