Splunk Search

Search/Macro using a variable as a condition

alekksi
Communicator

Hi all,

I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible.

Textbox details on the dashboard:
token: jobname
default: *
token prefix: job=

Example input: "string1 string2 string3"

I then put this through an eval to get a search condition to run:
eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=")

This will mean that the variable jobsearch will be:
"job=string1 OR job=string2 OR job=string3"

How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query):
| search $jobsearch$
which doesn't work / returns nothing.

The other way that seemed promising was using macros.
[stringsearch(1)]
args=sstring
definition = search $sstring$

Which doesn't seem to work either, using these examples:

This works:
eventtype=my_eventtype | stringsearch(mystringtosearch)

This doesn't:
eventtype=my_eventtype | eval var="mystringtosearch" | stringsearch($var$)

Does anyone know of a way of using strings in variables as conditions?

Thanks and best regards,
Alex

0 Karma
1 Solution

somesoni2
Revered Legend

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

View solution in original post

somesoni2
Revered Legend

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

alekksi
Communicator

Thanks for your suggestions!

Unfortunately the top example using a macro doesn't work -- that literally searches the string "jobsearch"

The bottom one I can't seem to work into my full search.
eventtype=my_eventtype source="*logfile.log"
| rex "[Tt]he job '(?[^']+)'"
[ | gentimes start=-1
| eval job="email alerts"
| makemv job
| mvexpand job
| table job ]
| transaction host job session startswith="Started running the job" endswith="has succeeded"
| table _time session job duration

Gives me an error:
Error in 'rex' command: Invalid argument: '('

PS: How do I use that codeblock you've used? I'm not sure what the markup is for it and the code html tag is awful.

0 Karma

somesoni2
Revered Legend

The bottom search for your full search would be like this

eventtype=my_eventtype source="*logfile.log" | rex "[Tt]he job '(?<job>[^']+)'" | search [ | gentimes start=-1 | eval job="email alerts" | makemv job | mvexpand job | table job ] | transaction host job session startswith="Started running the job" endswith="has succeeded" | table _time session job duration

To use code block, either use the '101010' type button above the text area OR add 4 spaces at the start of the line.

alekksi
Communicator

Mate, you're a lifesaver on both counts. Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...