Security

Unable to search with eval case output

super_edition
Path Finder

Hello Everyone,

I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names:  index_1 , index_2 , index_3

Based on the selected index,  I am trying to run the splunk query:

 

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern

 

the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results

 

index="index_1" 
| search hostname= "*-hostname_1"

 

 For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2)

 

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern

 

returns *-hostname_1

Not sure how do we pass the hostname value based on selected index for search.

Highly appreciate your help.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Why did you do that?  It's not what I suggested in my reply.

I'm not surprised you received no results since the syntax is rubbish.  like is a function, not an operator.

| where like(hostname, hostname_pattern)

Be aware that like uses "%" as a wildcard rather than "*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The search command doesn't accept a field name on both sides of an expression.  Use where, instead.

index="index_1" 
| eval hostname_pattern=case(
index == "index_1","*-hostname_1", 
index == "index_2","*-hostname_2"
)
| where hostname= hostname_pattern

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

super_edition
Path Finder

Thanks @richgalloway for your response.

I tried with 

| where hostname like hostname_pattern

also

| where hostname like hostname_pattern

its not returning any search results.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why did you do that?  It's not what I suggested in my reply.

I'm not surprised you received no results since the syntax is rubbish.  like is a function, not an operator.

| where like(hostname, hostname_pattern)

Be aware that like uses "%" as a wildcard rather than "*".

---
If this reply helps you, Karma would be appreciated.

super_edition
Path Finder

@richgalloway  thanks. It worked.

PickleRick
SplunkTrust
SplunkTrust

I'd also assume that since you wanted hostname _pattern_ simple equality check won't do.

In such case you should use match() or searchmatch() as your where condition. It's also worth pointing out that this search will most likely be more performance-intensive than it needs to be and might be better done differnetly.

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...