I'd like to use the top command in my search. The problem is, that the fields which I want to top can change if the sourcetype change.
sourcetype=windows than top eventlog
sourcetype=others than linux_messages
My idea was the following
sourcetype=windows | eval os = if(sourcetype="windows","eventlog","linux_messages") | top os
With "top os" Splunk only displays "eventlog" (as logical). But "eventlog" is also a field. I want that Splunk replace the "top os" to "top eventlog".
Is there a way to to this?
What exactly are wanting to do this for? Why does separate searches work for you since the data and fields are different?
You could do something like this:
* | eval something = if(sourcetype="windows", eventlog, someotherfield) | top something
First you need to remove "sourcetype=windows" because you are only going to get that result when you have already filtered on windows prior to the 'if' statement. In this case, if it's windows it's going to top the eventlog field for you. For everything else it's going to choose someotherfield which would need to be common among the other stuff you want to look at.
thanks! But I think we have a misunderstanding.
I have Windows and Linux logs. I also have one dashboard and on that dashboard I have a drop down to switch between Windows and Linux.
I see for instance the top Windows/Linux error messages. I wan't to realize this in one search. With a drop down, I choose the sourcetype (windows/linux) but the top command is the problem because the fields in windows and linux are different. In windows it is eventlog and in linux it is messages. The idea was to populate the top command by a if command which recognize which sourcetype is choosed...
I have used macros in the past to help with this. You could use the stringreplace to pick which macro to use.
So you would have at least two search macros.
In the search you can refer to them like
so when os is linux it will use the
oslogs-linux macro, and when windows it uses theoslogs-windows` macro