Concatenate fields into string on form

timmy13 · ‎07-13-2011

I want a form that will allow a user to "build" the appropriate "source" (or log file name) based on selecting various pieces of data.

So the fields will be like this:

Date
Application
Server

I want to then build a string to use in the search.

Trying to use eval but getting now where....

sourcetype=MySourceType | eval sourcelog=Date."-".Application."-".Server.".log" |search source=sourcelog

This always returns 0 results. If I leave out the search function, the sourcelog field is populated.

Once I can get this search to work, I can use it in the populatingsearch function of the form.

Ideas?

hazekamp · ‎07-13-2011

When comparing two fields you want to use the where command instead:

sourcetype=MySourceType | eval sourcelog=Date."-".Application."-".Server.".log" | where source=sourcelog

timmy13 · ‎07-14-2011

Great hazekamp, thanks for the help. That works, but I still have a problem.

Of course, when defining source=, I can use wild cards. However, when I place wildcards into sourcelog, and then use the where source=sourcelog command, it fails. seems the where doesn't like wildcards.

Ideas?

Concatenate fields into string on form

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

Concatenate fields into string on form

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?