Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create field values as SPL for generating c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create field values as SPL for generating commands and run these commands with map
Hi,
depending on specific field values I would like to perform different actions per event in one search string with the map command. I will try to create a simple example:
1. If there is an event that includes field=value_1, I would like to remove rows from a lookup that have field=value_1
2. If there is an event that includes field=value_2, I would like to add a row to another lookup.
Here is how I create my sample data:
| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+$field$+"\" | outputlookup test_2.csv")
The easiest way I thought of was adding
| map search="$spl$"
But Splunk seems to put quotes around the value. Avoiding that with the approach described here (https://community.splunk.com/t5/Installation/How-do-you-interpret-string-variable-as-SPL-in-Map-func...) does not work, because I can not use the search command this way.
Do you have ideas how to achieve my goal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an enhanced version of the dashboard which performs the actions you described (more or less).
<form version="1.1" theme="light">
<label>Token-driven repetition save</label>
<row>
<panel>
<table>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| stats count as counter</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 1">
<eval token="current">if($result.counter$ > 0,$result.counter$,null())</eval>
<set token="trace"></set>
</condition>
<condition>
<set token="trace"></set>
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>$current$</title>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")
| eval counter=$current$
| tail $current$
| reverse</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 1">
<set token="spl">$result.spl$</set>
<eval token="current">if($result.counter$ > 1,$result.counter$-1,null())</eval>
</condition>
<condition>
<eval token="spl">if($result.counter$ > 0,$result.spl$,null())</eval>
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<search>
<query>$spl$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="spl"></unset>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches.
<form version="1.1" theme="light">
<label>Token-driven repetition</label>
<init>
<set token="trace"/>
</init>
<fieldset submitButton="false">
<input type="dropdown" token="limit">
<label>Loop count</label>
<choice value="0">0</choice>
<default>0</default>
<initialValue>0</initialValue>
<fieldForLabel>count</fieldForLabel>
<fieldForValue>count</fieldForValue>
<search>
<query>| makeresults count=5
| streamstats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<eval token="current">if($value$>0,$value$,null())</eval>
<set token="trace"/>
</change>
</input>
</fieldset>
<row>
<panel>
<html>
$trace$
</html>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval counter=$current$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 0">
<eval token="trace">if($result.counter$>0,$trace$." ".$result.counter$,$trace$)</eval>
<eval token="current">$result.counter$-1</eval>
</condition>
<condition match="$current$=0">
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed.
Updated due to the way the null() function now operates with respect to unsetting tokens!
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
Your summer travels continue with new course releases
From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...
