Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define & use variable in same search

Filomenka
Explorer
‎07-13-2020 07:17 AM

Hello, fellow splunkers!

I am trying to find a search string where I could define a variable & then use it in the same search.
Example:

 

 

var1=some_value; var2=some_value;  | index="$var1-app01-$var2" OR index="$var1-app02-$var2" OR index="$var1-app03-$var2" "error" OR "severe"

 

 

Our current Splunk setup has too many indexes per customer/environment & this little feature would help a lot with unifying the searches.

I tried to browse the web/this forum and unfortunately did not find this or a similar issue.

Any help is appreciated, thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2020 07:32 AM

Splunk doesn't have the concept of variables.  Sometimes a field can be used as a variable, however, or you can use a macro.  Please explain more about "unifying the searches" so we can suggest the best method for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 02:17 AM

Well, that is unfortunate, since the variable part would solve this issue.

We have x-customers, y-applications per customer & 3-6 environments per customer.

Indexes share the same naming convention:
index=<$customer>-<$app01>-<$environment>

We have 10+ applications, 3-6 environments per customer & every search is a hard-coded index with customer-app-evironment.

We have a dashboard per customer created with specific searches but for ad-hoc debugging this is my personal go-to (splunk search) for filtering interesting data.

The reason for this post was to create an "ultimate one-line" search, where only 2 parts of the data would change (input for the search => variable).

I am not sure this is the right approach, but it definitely looks like the easiest.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 05:39 AM
Thanks for the explanation.
Perhaps you could put the search into a dashboard and have selectors at the top to choose the index. Those selectors would become tokens in the search.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 10:39 PM

As mentioned I already have dashboards in place with the needed filters:

Filomenka_0-1594791212472.png

Trying to think this through - can I add a "custom field" (type string) which would be used as an additional filter (in the screenshot)?
This way I could achieve the same thing you mentioned (dashboard with selectors) + the custom field & it would solve the issue.

BTW Thank you for your time & effort @richgalloway , I really appreciate it.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 05:26 AM
Yes, that should work.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 08:13 AM

If your problem is resolved, then please click a "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...