Splunk Search

Save value into a variable

Naaba
New Member

Hi,

I use Talend Open Studio to collect data on Gitlab (via Gitlab API) and send them to Splunk.

As Gitlab continually has new data over time, I want to save the pull position. So at the next pull I will pull only the new data.

Is it possible to create a variable on Splunk, save a value on this variable, and update the variable?
If it is possible to create a variable on Splunk, is it possible to make (HTTP?) request to Splunk to retrieve the value of a variable?

Thank you for your answer

Tags (1)
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

By variable you mean a field right? If so then you will need to write a regular expression to capture the values for your field. Post some sample data and what you want to capture

If you already have a field defined and you want to create a variable in your search, you will then need to use eval

https://answers.splunk.com/answers/71194/declare-a-variable-in-search-string.html

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

By variable you mean a field right? If so then you will need to write a regular expression to capture the values for your field. Post some sample data and what you want to capture

If you already have a field defined and you want to create a variable in your search, you will then need to use eval

https://answers.splunk.com/answers/71194/declare-a-variable-in-search-string.html

0 Karma

Naaba
New Member

Hi Skoelpin,

I send data in JSON format to splunk :

{
     event: test
     description: splunk test   
     issue_id: 1
     updated_at: 2016-01-04T15:31:39.996Z
}

I have two serveurs : One server with my script and the second one with Splunk
I want to make request to Splunk from my first server to retrieve/update the value save in "updated_at".
Is it possible?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So you want to capture the value from updated_at: and send that value to another server?

If so then you should create a field to capture the value, here's the regex to do so

updated_at\:\s(?<UpdatedTime>\d+\-\d+\-\d+T\d+\:\d+\:\d+\.\d+Z)

The field will be called UpdatedTime and have many values..

You can then create a Splunk alert anytime this field has a new value and trigger a script which can make a update the value

0 Karma

Naaba
New Member

Sorry for the late. Thank you very much for your answer.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

@Naaba , if this answered your question, can you please accept it?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...