Splunk Search

How to create field values as SPL for generating commands and run these commands with map

peterschloenske
Explorer

 

Hi,

depending on specific field values I would like to perform different actions per event in one search string with the map command. I will try to create a simple example:

1. If there is an event that includes field=value_1, I would like to remove rows from a lookup that have field=value_1

2. If there is an event that includes field=value_2, I would like to add a row to another lookup.

Here is how I create my sample data:

| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+$field$+"\" | outputlookup test_2.csv")


The easiest way I thought of was adding

| map search="$spl$"

But Splunk seems to put quotes around the value. Avoiding that with the approach described here (https://community.splunk.com/t5/Installation/How-do-you-interpret-string-variable-as-SPL-in-Map-func...) does not work, because I can not use the search command this way.

Do you have ideas how to achieve my goal?


Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is an enhanced version of the dashboard which performs the actions you described (more or less).

<form version="1.1" theme="light">
  <label>Token-driven repetition save</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| stats count as counter</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 1">
              <eval token="current">if($result.counter$ &gt; 0,$result.counter$,null())</eval>
              <set token="trace"></set>
            </condition>
            <condition>
              <set token="trace"></set>
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>$current$</title>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")
| eval counter=$current$
| tail $current$
| reverse</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 1">
              <set token="spl">$result.spl$</set>
              <eval token="current">if($result.counter$ &gt; 1,$result.counter$-1,null())</eval>
            </condition>
            <condition>
              <eval token="spl">if($result.counter$ &gt; 0,$result.spl$,null())</eval>
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>$spl$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <unset token="spl"></unset>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches.

<form version="1.1" theme="light">
  <label>Token-driven repetition</label>
  <init>
    <set token="trace"/>
  </init>
  <fieldset submitButton="false">
    <input type="dropdown" token="limit">
      <label>Loop count</label>
      <choice value="0">0</choice>
      <default>0</default>
      <initialValue>0</initialValue>
      <fieldForLabel>count</fieldForLabel>
      <fieldForValue>count</fieldForValue>
      <search>
        <query>| makeresults count=5
| streamstats count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <eval token="current">if($value$&gt;0,$value$,null())</eval>
        <set token="trace"/>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $trace$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval counter=$current$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 0">
              <eval token="trace">if($result.counter$&gt;0,$trace$." ".$result.counter$,$trace$)</eval>
              <eval token="current">$result.counter$-1</eval>
            </condition>
            <condition match="$current$=0">
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed.

Updated due to the way the null() function now operates with respect to unsetting tokens!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...