Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create field values as SPL for generating c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create field values as SPL for generating commands and run these commands with map
Hi,
depending on specific field values I would like to perform different actions per event in one search string with the map command. I will try to create a simple example:
1. If there is an event that includes field=value_1, I would like to remove rows from a lookup that have field=value_1
2. If there is an event that includes field=value_2, I would like to add a row to another lookup.
Here is how I create my sample data:
| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+$field$+"\" | outputlookup test_2.csv")
The easiest way I thought of was adding
| map search="$spl$"
But Splunk seems to put quotes around the value. Avoiding that with the approach described here (https://community.splunk.com/t5/Installation/How-do-you-interpret-string-variable-as-SPL-in-Map-func...) does not work, because I can not use the search command this way.
Do you have ideas how to achieve my goal?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an enhanced version of the dashboard which performs the actions you described (more or less).
<form version="1.1" theme="light">
<label>Token-driven repetition save</label>
<row>
<panel>
<table>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| stats count as counter</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 1">
<eval token="current">if($result.counter$ > 0,$result.counter$,null())</eval>
<set token="trace"></set>
</condition>
<condition>
<set token="trace"></set>
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>$current$</title>
<search>
<query>| makeresults format=csv data="field
value_1
value_2"
| eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv",
field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")
| eval counter=$current$
| tail $current$
| reverse</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 1">
<set token="spl">$result.spl$</set>
<eval token="current">if($result.counter$ > 1,$result.counter$-1,null())</eval>
</condition>
<condition>
<eval token="spl">if($result.counter$ > 0,$result.spl$,null())</eval>
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<search>
<query>$spl$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<unset token="spl"></unset>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way to possibility achieve this goal, albeit slowly, is to use tokens in a Classic SimpleXML dashboard to execute a series of searches.
<form version="1.1" theme="light">
<label>Token-driven repetition</label>
<init>
<set token="trace"/>
</init>
<fieldset submitButton="false">
<input type="dropdown" token="limit">
<label>Loop count</label>
<choice value="0">0</choice>
<default>0</default>
<initialValue>0</initialValue>
<fieldForLabel>count</fieldForLabel>
<fieldForValue>count</fieldForValue>
<search>
<query>| makeresults count=5
| streamstats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<eval token="current">if($value$>0,$value$,null())</eval>
<set token="trace"/>
</change>
</input>
</fieldset>
<row>
<panel>
<html>
$trace$
</html>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval counter=$current$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<condition match="$result.counter$ > 0">
<eval token="trace">if($result.counter$>0,$trace$." ".$result.counter$,$trace$)</eval>
<eval token="current">$result.counter$-1</eval>
</condition>
<condition match="$current$=0">
<unset token="current"/>
</condition>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>The idea being that the input (in this case, but you could use a row count from your initial field list) is used to limit the number of times the "loop" is executed. The panel executes a search and reduces the counter by one. There is a panel which essentially shows a trace to show that the search has been executed.
Updated due to the way the null() function now operates with respect to unsetting tokens!
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
