How Define a variable to use it in other search?

evelandi · ‎03-15-2019

Hi experts, im trying to definde a variable in my search to use is in other search. it should work as a filter in the other search.

"companyNames" is a sourcetype where several company names,Keys are stored for example Key 100001 is customer1.

on the other hand i have the sourcetype "groups" which contains groups for all the companies.

what im trying to do is to filter my second seach by searching the key 100001 so i can define a variable which will be the index for the other search, the indexes for groups are "key-cc" so this is why i define the variable id1 as "Key-cc" but the second search is empty.

sourcetype=companyNames Key=100001
| eval id1= Key."-cc"
| search sourcetype=groups index=id1
| table groupId,groupName

if i search like this:

sourcetype=groups index=100001-cc
| table groupId,groupName

the search have values. please your help telling me what im doing wrong.

thanks in advance.

renjith_nair · ‎03-16-2019

@evelandi,

search takes the terms given as literal and hence even though you assign some value to the variables. In the above example, your final search will still be index=id1 and not the value. You may verify that from job inspector.

To make the above search work, you can use where which work as conditional expressions

 sourcetype=companyNames Key=100001
 | eval id1= Key."-cc"
 | where sourcetype=groups AND index=id1
 | table groupId,groupName

However, looking at your original requirement, you may try

sourcetype=groups [ sourcetype=companyNames  |"search for all keys"|eval id1= Key."-cc"|rename id1 as index ]

Final search will be formulated as sourcetype=groups (index=100001 OR index=100002)

---
What goes around comes around. If it helps, hit it with Karma 🙂

How Define a variable to use it in other search?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024