Hello Everyone,
I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , index_2 , index_3
Based on the selected index, I am trying to run the splunk query:
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern
the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results
index="index_1"
| search hostname= "*-hostname_1"
For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2)
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern
returns *-hostname_1
Not sure how do we pass the hostname value based on selected index for search.
Highly appreciate your help.
Why did you do that? It's not what I suggested in my reply.
I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.
| where like(hostname, hostname_pattern)
Be aware that like uses "%" as a wildcard rather than "*".
The search command doesn't accept a field name on both sides of an expression. Use where, instead.
index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| where hostname= hostname_pattern
Thanks @richgalloway for your response.
I tried with
| where hostname like hostname_pattern
also
| where hostname like hostname_pattern
its not returning any search results.
Why did you do that? It's not what I suggested in my reply.
I'm not surprised you received no results since the syntax is rubbish. like is a function, not an operator.
| where like(hostname, hostname_pattern)
Be aware that like uses "%" as a wildcard rather than "*".
@richgalloway thanks. It worked.
I'd also assume that since you wanted hostname _pattern_ simple equality check won't do.
In such case you should use match() or searchmatch() as your where condition. It's also worth pointing out that this search will most likely be more performance-intensive than it needs to be and might be better done differnetly.