Splunk Search

Eval command

splunklearner
Communicator

Hello,

We have separate indexes created for non-prod and prod. 

Sample index name :

sony_app_XXXXXX_non_prod - for non-prod env

sony_app_XXXXXX_prod - for prod env

XXXXX are Application ID numbers (different) and we have different indexes as well (along with non-prod and prod).

I want a field called env which should pick index details like for all non-prod indexes, the env should be Non-Prod and for Prod indexes, env should be Prod.

Given below command 

index=sony*  |eval env= if(index="*non_prod*", "Non-Prod", "Prod"). This will not work for Prod because we have different indexes as well which not include either non_prod or prod.

but it is giving all values as Prod in env. 

Kindly help me with the solution to achieve this.

splunklearner_0-1738756664185.png

 

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

There are many ways to do this, but using if function is perhaps my last choice.  Try this:

 

| rex field=index "_(?<app_id>\w+?)_(?<environment>(non_)*prod)"

 

Here is an emulation for you to play with and compare with real data.

 

| makeresults format=csv data="index
sony_app_XXXXXX_non_prod
sony_app_XXXXXX_prod
sony_app_123456_non_prod
sony_app_xyzabc_prod"
``` the above emulates
index = sony_*
```

 

Output from this emulation is

app_idenvironmentindex
app_XXXXXXnon_prodsony_app_XXXXXX_non_prod
app_XXXXXXprodsony_app_XXXXXX_prod
app_123456non_prodsony_app_123456_non_prod
app_xyzabcprodsony_app_xyzabc_prod

Hope this helps.

Tags (1)
0 Karma

splunklearner
Communicator

splunklearner_0-1738759004359.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Back up a little. Read the descriptions for those functions. In detail.

searchmatch() needs a string containing normal search condition(s). That means that you could use it like this:

searchmatch("index=\"*prod*\"")

As you can see - you need to escape the inner quotes if your search terms contain them.

The match() function expects a regex so you can't use simple wildcards.

match(index,".*prod.*")

The like() function uses  SQL-like matching so you'd use % as wildcard.

like(index,"%prod%")
0 Karma

splunklearner
Communicator

Hi @PickleRick , I tried but I am unable to create SPL query can you please help me with the accurate query?

0 Karma

PickleRick
SplunkTrust
SplunkTrust
eval env= if(index="*non_prod*", "Non-Prod", "Prod")

This won't work. At least not the way you want it to.

Your condition tries to match the index to the literal value of *non_prod*. Since index name cannot contain asterisks this condition will never evaluate to true.

You need to use one of the other comparison functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

Suitable candidates:

like()

match()

searchmatch()

 

0 Karma

splunklearner
Communicator

splunklearner_0-1738757679967.png

 

@PickleRick giving this getting error...

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...