Solved: Re: Unable to search with eval case output

super_edition · ‎10-06-2024

Hello Everyone,

I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , index_2 , index_3

Based on the selected index, I am trying to run the splunk query:

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern

the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results

index="index_1" 
| search hostname= "*-hostname_1"

For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2)

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern

returns *-hostname_1

Not sure how do we pass the hostname value based on selected index for search.

Highly appreciate your help.

richgalloway · ‎10-07-2024

Why did you do that? It's not what I suggested in my reply.

I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.

| where like(hostname, hostname_pattern)

Be aware that like uses "%" as a wildcard rather than "*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-06-2024

The search command doesn't accept a field name on both sides of an expression. Use where, instead.

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| where hostname= hostname_pattern

---
If this reply helps you, Karma would be appreciated.

super_edition · ‎10-06-2024

Thanks @richgalloway for your response.

I tried with

| where hostname like hostname_pattern

also

| where hostname like hostname_pattern

its not returning any search results.

richgalloway · ‎10-07-2024

Why did you do that? It's not what I suggested in my reply.

I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.

| where like(hostname, hostname_pattern)

Be aware that like uses "%" as a wildcard rather than "*".

---
If this reply helps you, Karma would be appreciated.

super_edition · ‎10-07-2024

@richgalloway thanks. It worked.

PickleRick · ‎10-06-2024

I'd also assume that since you wanted hostname _pattern_ simple equality check won't do.

In such case you should use match() or searchmatch() as your where condition. It's also worth pointing out that this search will most likely be more performance-intensive than it needs to be and might be better done differnetly.

Unable to search with eval case output

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?