Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to dynamic assign variable to maxspan and span

mpaw
Explorer
‎02-26-2019 12:41 AM

Hi,

I want to create a dynamic variable containing the span value on my index search. I have a lookup file that has corresponding value then it will lookup to the index search and update the span value. Unfortunately, I cannot get it to work. Any tips/ideas?

Instead of:
maxspan=7m; span=240m

It will be like this:

maxspan=duration1; span=duration1

Here is my script below:
| search Id="*"
| lookup error_rules.csv EventSubType as EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| eval recorrenceWindow=$span_time$
| eval duration=floor($recorrenceWindow$)
| eval duration1=duration+"m"
| transaction Id PublisherMessage maxspan=7m
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time
| bucket _time span=240m

| stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time

Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit
Failed to Ping Computer,Critical,7,0,0,0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-28-2019 10:58 PM

Like this:

| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"

View solution in original post

Reply
Solved! Jump to solution

mpaw
Explorer
‎03-01-2019 09:52 AM

I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:

| search Id="*"
| lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit

| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"

stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time

Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit

Failed to Ping Computer,Critical,7m,0,0,0
Application Error,Warning,5m,0,0,0

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-28-2019 10:58 PM

Like this:

| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎02-26-2019 06:23 AM

Define the field upfront and pass it to the map command like this example:

| makeresults 
| eval field="member_guid" 
| map search="search index=_internal 
| transaction $field$"
0 Karma
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-01-2019 03:08 AM

@mpaw please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...