Splunk Search

Create a new variable within a search

Communicator

Hi,

I'd like to use the top command in my search. The problem is, that the fields which I want to top can change if the sourcetype change.

sourcetype=windows than top eventlog
sourcetype=others than linux_messages

My idea was the following

sourcetype=windows | eval os = if(sourcetype="windows","eventlog","linux_messages") | top os

With "top os" Splunk only displays "eventlog" (as logical). But "eventlog" is also a field. I want that Splunk replace the "top os" to "top eventlog".

Is there a way to to this?

Thank you

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

I have used macros in the past to help with this. You could use the stringreplace to pick which macro to use.

So you would have at least two search macros. oslogs-windows and oslogs-linux

In the search you can refer to them like
.... | oslogs-$os$
so when os is linux it will use the oslogs-linux macro, and when windows it uses theoslogs-windows` macro

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

I have used macros in the past to help with this. You could use the stringreplace to pick which macro to use.

So you would have at least two search macros. oslogs-windows and oslogs-linux

In the search you can refer to them like
.... | oslogs-$os$
so when os is linux it will use the oslogs-linux macro, and when windows it uses theoslogs-windows` macro

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Your welcome, I am glad it worked.

0 Karma

Communicator

I am really thankful for your answer! worked great 🙂

0 Karma

Splunk Employee
Splunk Employee

What exactly are wanting to do this for? Why does separate searches work for you since the data and fields are different?

You could do something like this:

* | eval something = if(sourcetype="windows", eventlog, someotherfield) | top something

First you need to remove "sourcetype=windows" because you are only going to get that result when you have already filtered on windows prior to the 'if' statement. In this case, if it's windows it's going to top the eventlog field for you. For everything else it's going to choose someotherfield which would need to be common among the other stuff you want to look at.

0 Karma

Communicator

thanks! But I think we have a misunderstanding.

I have Windows and Linux logs. I also have one dashboard and on that dashboard I have a drop down to switch between Windows and Linux.

I see for instance the top Windows/Linux error messages. I wan't to realize this in one search. With a drop down, I choose the sourcetype (windows/linux) but the top command is the problem because the fields in windows and linux are different. In windows it is eventlog and in linux it is messages. The idea was to populate the top command by a if command which recognize which sourcetype is choosed...

0 Karma