Solved: Reuse-able Pattern matching blocks for eval?

splunkernator · ‎07-10-2022

Code is easier to explain: I wanted a bunch of new categories and i found eval especially useful - here is an obfuscated example

| index=my_index CONNECTED source="/var/log/vmware/my_log.log" 
| eval vdi_pool=case(
    match(name,"1A-VDI\d{3}"), "pool1",
    match(name,"1B-VDI\d{3}"), "pool2",
    match(name,"2A-VDI\d{3}"), "pool3",
    match(name,"2B-VDI\d{3}"), "pool4",
    match(name,"3A-VDI\d{3}"), "pool5",
    match(name,"3B-VDI\d{3}"), "pool6",
    1=1, "unclassified"
)
| timechart span=1h count by vdi_pool

This made the subsequent querys super easy. Irritatingly within the dashboard, if I add a new value I need to update all of the queries - this vexes me greatly 😥

I have noticed the entire definition can be downloaded as a json doc - so Im tempted to start templating this in python - this does not seem sane - ideally I'd like to create blocks of repeatable logic I can assemble together to show different scenarios.

Anyone done anything similar to achieve this kind of capability - but more "splunkonic"?

splunkernator · ‎07-28-2022

have you got any good links? else I'll just search

View solution in original post

bowesmana · ‎07-10-2022

If this is reusable code, then it should be a macro - then if it changes, just change the macro definition and all uses of the macro will use the new definition.

splunkernator · ‎07-28-2022

have you got any good links? else I'll just search

bowesmana · ‎07-31-2022

https://docs.splunk.com/Documentation/Splunk/8.2.7/Knowledge/Definesearchmacros

https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Usesearchmacros

Reuse-able Pattern matching blocks for eval?

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?