Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define & use variable in same search

Filomenka
Explorer
‎07-13-2020 07:17 AM

Hello, fellow splunkers!

I am trying to find a search string where I could define a variable & then use it in the same search.
Example:

 

 

var1=some_value; var2=some_value;  | index="$var1-app01-$var2" OR index="$var1-app02-$var2" OR index="$var1-app03-$var2" "error" OR "severe"

 

 

Our current Splunk setup has too many indexes per customer/environment & this little feature would help a lot with unifying the searches.

I tried to browse the web/this forum and unfortunately did not find this or a similar issue.

Any help is appreciated, thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2020 07:32 AM

Splunk doesn't have the concept of variables.  Sometimes a field can be used as a variable, however, or you can use a macro.  Please explain more about "unifying the searches" so we can suggest the best method for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 02:17 AM

Well, that is unfortunate, since the variable part would solve this issue.

We have x-customers, y-applications per customer & 3-6 environments per customer.

Indexes share the same naming convention:
index=<$customer>-<$app01>-<$environment>

We have 10+ applications, 3-6 environments per customer & every search is a hard-coded index with customer-app-evironment.

We have a dashboard per customer created with specific searches but for ad-hoc debugging this is my personal go-to (splunk search) for filtering interesting data.

The reason for this post was to create an "ultimate one-line" search, where only 2 parts of the data would change (input for the search => variable).

I am not sure this is the right approach, but it definitely looks like the easiest.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 05:39 AM
Thanks for the explanation.
Perhaps you could put the search into a dashboard and have selectors at the top to choose the index. Those selectors would become tokens in the search.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 10:39 PM

As mentioned I already have dashboards in place with the needed filters:

Filomenka_0-1594791212472.png

Trying to think this through - can I add a "custom field" (type string) which would be used as an additional filter (in the screenshot)?
This way I could achieve the same thing you mentioned (dashboard with selectors) + the custom field & it would solve the issue.

BTW Thank you for your time & effort @richgalloway , I really appreciate it.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 05:26 AM
Yes, that should work.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 08:13 AM

If your problem is resolved, then please click a "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...