Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Define & use variable in same search

Filomenka
Explorer
‎07-13-2020 07:17 AM

Hello, fellow splunkers!

I am trying to find a search string where I could define a variable & then use it in the same search.
Example:

 

 

var1=some_value; var2=some_value;  | index="$var1-app01-$var2" OR index="$var1-app02-$var2" OR index="$var1-app03-$var2" "error" OR "severe"

 

 

Our current Splunk setup has too many indexes per customer/environment & this little feature would help a lot with unifying the searches.

I tried to browse the web/this forum and unfortunately did not find this or a similar issue.

Any help is appreciated, thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-13-2020 07:32 AM

Splunk doesn't have the concept of variables.  Sometimes a field can be used as a variable, however, or you can use a macro.  Please explain more about "unifying the searches" so we can suggest the best method for you.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 02:17 AM

Well, that is unfortunate, since the variable part would solve this issue.

We have x-customers, y-applications per customer & 3-6 environments per customer.

Indexes share the same naming convention:
index=<$customer>-<$app01>-<$environment>

We have 10+ applications, 3-6 environments per customer & every search is a hard-coded index with customer-app-evironment.

We have a dashboard per customer created with specific searches but for ad-hoc debugging this is my personal go-to (splunk search) for filtering interesting data.

The reason for this post was to create an "ultimate one-line" search, where only 2 parts of the data would change (input for the search => variable).

I am not sure this is the right approach, but it definitely looks like the easiest.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 05:39 AM
Thanks for the explanation.
Perhaps you could put the search into a dashboard and have selectors at the top to choose the index. Those selectors would become tokens in the search.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Filomenka
Explorer
‎07-14-2020 10:39 PM

As mentioned I already have dashboards in place with the needed filters:

Filomenka_0-1594791212472.png

Trying to think this through - can I add a "custom field" (type string) which would be used as an additional filter (in the screenshot)?
This way I could achieve the same thing you mentioned (dashboard with selectors) + the custom field & it would solve the issue.

BTW Thank you for your time & effort @richgalloway , I really appreciate it.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 05:26 AM
Yes, that should work.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

Filomenka
Explorer
‎07-15-2020 06:41 AM

Thank you rich, you are a lifesaver! 🙂 Works like a charm...

If anybody else is reading this, this is the solution that worked for me (this can be used as a template):

<form theme="dark">
  <label>debug-dashboard-beta</label>
  <description>closeml debug</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time range</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Customer">
      <label>Customer</label>
      <choice value="*">ALL</choice>
      <choice value="abc">ABC</choice>
      <choice value="123">123</choice>
      <choice value="xyz">XYZ</choice>
    </input>
    <input type="dropdown" token="Environment">
      <label>Environment</label>
      <choice value="*">ALL</choice>
      <choice value="prod">prod</choice>
      <choice value="acc">acc</choice>
      <choice value="test">test</choice>
      <choice value="dev">dev</choice>
    </input>
    <input type="dropdown" token="Label">
      <label>Label</label>
      <selectFirstChoice>true</selectFirstChoice>
      <choice value="">No label</choice>
      <choice value="b">b</choice>
      <choice value="c">c</choice>
    </input>
    <input type="text" token="custom_search">
      <label>Custom search</label>
      <default>"0200 error" OR "0200 severe"</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 08:13 AM

If your problem is resolved, then please click a "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...