Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Save value into a variable

Naaba
New Member
‎12-30-2016 05:45 AM

Hi,

I use Talend Open Studio to collect data on Gitlab (via Gitlab API) and send them to Splunk.

As Gitlab continually has new data over time, I want to save the pull position. So at the next pull I will pull only the new data.

Is it possible to create a variable on Splunk, save a value on this variable, and update the variable?
If it is possible to create a variable on Splunk, is it possible to make (HTTP?) request to Splunk to retrieve the value of a variable?

Thank you for your answer

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-30-2016 06:51 AM

By variable you mean a field right? If so then you will need to write a regular expression to capture the values for your field. Post some sample data and what you want to capture

If you already have a field defined and you want to create a variable in your search, you will then need to use eval

https://answers.splunk.com/answers/71194/declare-a-variable-in-search-string.html

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎12-30-2016 06:51 AM

By variable you mean a field right? If so then you will need to write a regular expression to capture the values for your field. Post some sample data and what you want to capture

If you already have a field defined and you want to create a variable in your search, you will then need to use eval

https://answers.splunk.com/answers/71194/declare-a-variable-in-search-string.html

0 Karma
Reply
Solved! Jump to solution

Naaba
New Member
‎12-30-2016 07:13 AM

Hi Skoelpin,

I send data in JSON format to splunk :

{
     event: test
     description: splunk test   
     issue_id: 1
     updated_at: 2016-01-04T15:31:39.996Z
}

I have two serveurs : One server with my script and the second one with Splunk
I want to make request to Splunk from my first server to retrieve/update the value save in "updated_at".
Is it possible?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎12-30-2016 10:52 AM

So you want to capture the value from updated_at: and send that value to another server?

If so then you should create a field to capture the value, here's the regex to do so

updated_at\:\s(?<UpdatedTime>\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+Z)

The field will be called UpdatedTime and have many values..

You can then create a Splunk alert anytime this field has a new value and trigger a script which can make a update the value

0 Karma
Reply
Solved! Jump to solution

Naaba
New Member
‎01-11-2017 06:28 AM

Sorry for the late. Thank you very much for your answer.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-12-2017 07:57 AM

@Naaba , if this answered your question, can you please accept it?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...