Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval command

splunklearner
Communicator
‎02-05-2025 03:50 AM

Hello,

We have separate indexes created for non-prod and prod. 

Sample index name :

sony_app_XXXXXX_non_prod - for non-prod env

sony_app_XXXXXX_prod - for prod env

XXXXX are Application ID numbers (different) and we have different indexes as well (along with non-prod and prod).

I want a field called env which should pick index details like for all non-prod indexes, the env should be Non-Prod and for Prod indexes, env should be Prod.

Given below command 

index=sony*  |eval env= if(index="*non_prod*", "Non-Prod", "Prod"). This will not work for Prod because we have different indexes as well which not include either non_prod or prod.

but it is giving all values as Prod in env. 

Kindly help me with the solution to achieve this.

splunklearner_0-1738756664185.png

 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-07-2025 12:49 AM

There are many ways to do this, but using if function is perhaps my last choice.  Try this:

 

| rex field=index "_(?<app_id>\w+?)_(?<environment>(non_)*prod)"

 

Here is an emulation for you to play with and compare with real data.

 

| makeresults format=csv data="index
sony_app_XXXXXX_non_prod
sony_app_XXXXXX_prod
sony_app_123456_non_prod
sony_app_xyzabc_prod"
``` the above emulates
index = sony_*
```

 

Output from this emulation is

app_idenvironmentindex
app_XXXXXXnon_prodsony_app_XXXXXX_non_prod
app_XXXXXXprodsony_app_XXXXXX_prod
app_123456non_prodsony_app_123456_non_prod
app_xyzabcprodsony_app_xyzabc_prod

Hope this helps.

Tags (1)
0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 04:37 AM

splunklearner_0-1738759004359.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2025 04:44 AM

OK. Back up a little. Read the descriptions for those functions. In detail.

searchmatch() needs a string containing normal search condition(s). That means that you could use it like this:

searchmatch("index=\"*prod*\"")

As you can see - you need to escape the inner quotes if your search terms contain them.

The match() function expects a regex so you can't use simple wildcards.

match(index,".*prod.*")

The like() function uses  SQL-like matching so you'd use % as wildcard.

like(index,"%prod%")
0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 06:38 AM

Hi @PickleRick , I tried but I am unable to create SPL query can you please help me with the accurate query?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2025 04:04 AM 
eval env= if(index="*non_prod*", "Non-Prod", "Prod")

This won't work. At least not the way you want it to.

Your condition tries to match the index to the literal value of *non_prod*. Since index name cannot contain asterisks this condition will never evaluate to true.

You need to use one of the other comparison functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

Suitable candidates:

like()

match()

searchmatch()

 

0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 04:15 AM

splunklearner_0-1738757679967.png

 

@PickleRick giving this getting error...

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top