Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create field values as SPL for generating commands and run these commands with map

peterschloenske
Explorer
‎06-26-2025 02:17 PM

 

Hi,

depending on specific field values I would like to perform different actions per event in one search string with the map command. I will try to create a simple example:

1. If there is an event that includes field=value_1, I would like to remove rows from a lookup that have field=value_1

2. If there is an event that includes field=value_2, I would like to add a row to another lookup.

Here is how I create my sample data:

| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+$field$+"\" | outputlookup test_2.csv")


The easiest way I thought of was adding

| map search="$spl$"

But Splunk seems to put quotes around the value. Avoiding that with the approach described here (https://community.splunk.com/t5/Installation/How-do-you-interpret-string-variable-as-SPL-in-Map-func...) does not work, because I can not use the search command this way.

Do you have ideas how to achieve my goal?


Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2025 10:58 AM

Here is an enhanced version of the dashboard which performs the actions you described (more or less).

<form version="1.1" theme="light">
  <label>Token-driven repetition save</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| stats count as counter</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 1">
              <eval token="current">if($result.counter$ &gt; 0,$result.counter$,null())</eval>
              <set token="trace"></set>
            </condition>
            <condition>
              <set token="trace"></set>
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>$current$</title>
        <search>
          <query>| makeresults format=csv data="field
value_1
value_2"

| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")
| eval counter=$current$
| tail $current$
| reverse</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 1">
              <set token="spl">$result.spl$</set>
              <eval token="current">if($result.counter$ &gt; 1,$result.counter$-1,null())</eval>
            </condition>
            <condition>
              <eval token="spl">if($result.counter$ &gt; 0,$result.spl$,null())</eval>
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>$spl$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <unset token="spl"></unset>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2025 03:16 AM

Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches.

<form version="1.1" theme="light">
  <label>Token-driven repetition</label>
  <init>
    <set token="trace"/>
  </init>
  <fieldset submitButton="false">
    <input type="dropdown" token="limit">
      <label>Loop count</label>
      <choice value="0">0</choice>
      <default>0</default>
      <initialValue>0</initialValue>
      <fieldForLabel>count</fieldForLabel>
      <fieldForValue>count</fieldForValue>
      <search>
        <query>| makeresults count=5
| streamstats count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <eval token="current">if($value$&gt;0,$value$,null())</eval>
        <set token="trace"/>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $trace$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval counter=$current$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$result.counter$ &gt; 0">
              <eval token="trace">if($result.counter$&gt;0,$trace$." ".$result.counter$,$trace$)</eval>
              <eval token="current">$result.counter$-1</eval>
            </condition>
            <condition match="$current$=0">
              <unset token="current"/>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed.

Updated due to the way the null() function now operates with respect to unsetting tokens!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...