Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval command

splunklearner
Communicator
‎02-05-2025 03:50 AM

Hello,

We have separate indexes created for non-prod and prod. 

Sample index name :

sony_app_XXXXXX_non_prod - for non-prod env

sony_app_XXXXXX_prod - for prod env

XXXXX are Application ID numbers (different) and we have different indexes as well (along with non-prod and prod).

I want a field called env which should pick index details like for all non-prod indexes, the env should be Non-Prod and for Prod indexes, env should be Prod.

Given below command 

index=sony*  |eval env= if(index="*non_prod*", "Non-Prod", "Prod"). This will not work for Prod because we have different indexes as well which not include either non_prod or prod.

but it is giving all values as Prod in env. 

Kindly help me with the solution to achieve this.

splunklearner_0-1738756664185.png

 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-07-2025 12:49 AM

There are many ways to do this, but using if function is perhaps my last choice.  Try this:

 

| rex field=index "_(?<app_id>\w+?)_(?<environment>(non_)*prod)"

 

Here is an emulation for you to play with and compare with real data.

 

| makeresults format=csv data="index
sony_app_XXXXXX_non_prod
sony_app_XXXXXX_prod
sony_app_123456_non_prod
sony_app_xyzabc_prod"
``` the above emulates
index = sony_*
```

 

Output from this emulation is

app_idenvironmentindex
app_XXXXXXnon_prodsony_app_XXXXXX_non_prod
app_XXXXXXprodsony_app_XXXXXX_prod
app_123456non_prodsony_app_123456_non_prod
app_xyzabcprodsony_app_xyzabc_prod

Hope this helps.

Tags (1)
0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 04:37 AM

splunklearner_0-1738759004359.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2025 04:44 AM

OK. Back up a little. Read the descriptions for those functions. In detail.

searchmatch() needs a string containing normal search condition(s). That means that you could use it like this:

searchmatch("index=\"*prod*\"")

As you can see - you need to escape the inner quotes if your search terms contain them.

The match() function expects a regex so you can't use simple wildcards.

match(index,".*prod.*")

The like() function uses  SQL-like matching so you'd use % as wildcard.

like(index,"%prod%")
0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 06:38 AM

Hi @PickleRick , I tried but I am unable to create SPL query can you please help me with the accurate query?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-05-2025 04:04 AM 
eval env= if(index="*non_prod*", "Non-Prod", "Prod")

This won't work. At least not the way you want it to.

Your condition tries to match the index to the literal value of *non_prod*. Since index name cannot contain asterisks this condition will never evaluate to true.

You need to use one of the other comparison functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions

Suitable candidates:

like()

match()

searchmatch()

 

0 Karma
Reply

splunklearner
Communicator
‎02-05-2025 04:15 AM

splunklearner_0-1738757679967.png

 

@PickleRick giving this getting error...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...