Splunk Search

How to dynamic assign variable to maxspan and span

mpaw
Explorer

Hi,

I want to create a dynamic variable containing the span value on my index search. I have a lookup file that has corresponding value then it will lookup to the index search and update the span value. Unfortunately, I cannot get it to work. Any tips/ideas?

Instead of:
maxspan=7m; span=240m

It will be like this:

maxspan=duration1; span=duration1

Here is my script below:
| search Id="*"
| lookup error_rules.csv EventSubType as EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| eval recorrenceWindow=$span_time$
| eval duration=floor($recorrenceWindow$)
| eval duration1=duration+"m"
| transaction Id PublisherMessage maxspan=7m
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time
| bucket _time span=240m

| stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time

Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit
Failed to Ping Computer,Critical,7,0,0,0

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"

View solution in original post

mpaw
Explorer

I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:

| search Id="*"
| lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit

| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit
| map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"

stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time

Lookup File:
EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit

Failed to Ping Computer,Critical,7m,0,0,0
Application Error,Warning,5m,0,0,0

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults | eval maxspan="7m"
| map search="search index=_* | transaction host maxspan=$maxspan$"

tiagofbmm
Influencer

Define the field upfront and pass it to the map command like this example:

| makeresults 
| eval field="member_guid" 
| map search="search index=_internal 
| transaction $field$"
0 Karma

tiagofbmm
Influencer

@mpaw please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...