Hello,
We have separate indexes created for non-prod and prod.
Sample index name :
sony_app_XXXXXX_non_prod - for non-prod env
sony_app_XXXXXX_prod - for prod env
XXXXX are Application ID numbers (different) and we have different indexes as well (along with non-prod and prod).
I want a field called env which should pick index details like for all non-prod indexes, the env should be Non-Prod and for Prod indexes, env should be Prod.
Given below command
index=sony* |eval env= if(index="*non_prod*", "Non-Prod", "Prod"). This will not work for Prod because we have different indexes as well which not include either non_prod or prod.
but it is giving all values as Prod in env.
Kindly help me with the solution to achieve this.
There are many ways to do this, but using if function is perhaps my last choice. Try this:
| rex field=index "_(?<app_id>\w+?)_(?<environment>(non_)*prod)"
Here is an emulation for you to play with and compare with real data.
| makeresults format=csv data="index
sony_app_XXXXXX_non_prod
sony_app_XXXXXX_prod
sony_app_123456_non_prod
sony_app_xyzabc_prod"
``` the above emulates
index = sony_*
```
Output from this emulation is
app_id | environment | index |
app_XXXXXX | non_prod | sony_app_XXXXXX_non_prod |
app_XXXXXX | prod | sony_app_XXXXXX_prod |
app_123456 | non_prod | sony_app_123456_non_prod |
app_xyzabc | prod | sony_app_xyzabc_prod |
Hope this helps.
OK. Back up a little. Read the descriptions for those functions. In detail.
searchmatch() needs a string containing normal search condition(s). That means that you could use it like this:
searchmatch("index=\"*prod*\"")
As you can see - you need to escape the inner quotes if your search terms contain them.
The match() function expects a regex so you can't use simple wildcards.
match(index,".*prod.*")
The like() function uses SQL-like matching so you'd use % as wildcard.
like(index,"%prod%")
Hi @PickleRick , I tried but I am unable to create SPL query can you please help me with the accurate query?
eval env= if(index="*non_prod*", "Non-Prod", "Prod")
This won't work. At least not the way you want it to.
Your condition tries to match the index to the literal value of *non_prod*. Since index name cannot contain asterisks this condition will never evaluate to true.
You need to use one of the other comparison functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions
Suitable candidates:
like()
match()
searchmatch()