Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How Define a variable to use it in other search?

evelandi
New Member
‎03-15-2019 04:58 PM

Hi experts, im trying to definde a variable in my search to use is in other search. it should work as a filter in the other search.

"companyNames" is a sourcetype where several company names,Keys are stored for example Key 100001 is customer1.

on the other hand i have the sourcetype "groups" which contains groups for all the companies.

what im trying to do is to filter my second seach by searching the key 100001 so i can define a variable which will be the index for the other search, the indexes for groups are "key-cc" so this is why i define the variable id1 as "Key-cc" but the second search is empty.

sourcetype=companyNames Key=100001
| eval id1= Key."-cc"
| search sourcetype=groups index=id1
| table groupId,groupName

if i search like this:

sourcetype=groups index=100001-cc
| table groupId,groupName

the search have values. please your help telling me what im doing wrong.

thanks in advance.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎03-16-2019 05:04 AM

@evelandi,

search takes the terms given as literal and hence even though you assign some value to the variables. In the above example, your final search will still be index=id1 and not the value. You may verify that from job inspector.

To make the above search work, you can use where which work as conditional expressions

 sourcetype=companyNames Key=100001
 | eval id1= Key."-cc"
 | where sourcetype=groups AND index=id1
 | table groupId,groupName

However, looking at your original requirement, you may try 

sourcetype=groups [ sourcetype=companyNames  |"search for all keys"|eval id1= Key."-cc"|rename id1 as index ]

Final search will be formulated as sourcetype=groups (index=100001 OR index=100002)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...