Splunk Search

Search/Macro using a variable as a condition

alekksi
Communicator

Hi all,

I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible.

Textbox details on the dashboard:
token: jobname
default: *
token prefix: job=

Example input: "string1 string2 string3"

I then put this through an eval to get a search condition to run:
eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=")

This will mean that the variable jobsearch will be:
"job=string1 OR job=string2 OR job=string3"

How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query):
| search $jobsearch$
which doesn't work / returns nothing.

The other way that seemed promising was using macros.
[stringsearch(1)]
args=sstring
definition = search $sstring$

Which doesn't seem to work either, using these examples:

This works:
eventtype=my_eventtype | stringsearch(mystringtosearch)

This doesn't:
eventtype=my_eventtype | eval var="mystringtosearch" | stringsearch($var$)

Does anyone know of a way of using strings in variables as conditions?

Thanks and best regards,
Alex

0 Karma
1 Solution

somesoni2
Revered Legend

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

View solution in original post

somesoni2
Revered Legend

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

alekksi
Communicator

Thanks for your suggestions!

Unfortunately the top example using a macro doesn't work -- that literally searches the string "jobsearch"

The bottom one I can't seem to work into my full search.
eventtype=my_eventtype source="*logfile.log"
| rex "[Tt]he job '(?[^']+)'"
[ | gentimes start=-1
| eval job="email alerts"
| makemv job
| mvexpand job
| table job ]
| transaction host job session startswith="Started running the job" endswith="has succeeded"
| table _time session job duration

Gives me an error:
Error in 'rex' command: Invalid argument: '('

PS: How do I use that codeblock you've used? I'm not sure what the markup is for it and the code html tag is awful.

0 Karma

somesoni2
Revered Legend

The bottom search for your full search would be like this

eventtype=my_eventtype source="*logfile.log" | rex "[Tt]he job '(?<job>[^']+)'" | search [ | gentimes start=-1 | eval job="email alerts" | makemv job | mvexpand job | table job ] | transaction host job session startswith="Started running the job" endswith="has succeeded" | table _time session job duration

To use code block, either use the '101010' type button above the text area OR add 4 spaces at the start of the line.

alekksi
Communicator

Mate, you're a lifesaver on both counts. Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...