Solved: Search/Macro using a variable as a condition

alekksi · ‎04-22-2016

Hi all,

I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible.

Textbox details on the dashboard:
token: jobname default: * token prefix: job=

Example input: "string1 string2 string3"

I then put this through an eval to get a search condition to run:
eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=")

This will mean that the variable jobsearch will be:
"job=string1 OR job=string2 OR job=string3"

How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query):
| search $jobsearch$
which doesn't work / returns nothing.

The other way that seemed promising was using macros.
[stringsearch(1)] args=sstring definition = search $sstring$

Which doesn't seem to work either, using these examples:

This works:
eventtype=my_eventtype | stringsearch(mystringtosearch)

This doesn't:
eventtype=my_eventtype | eval var="mystringtosearch" | stringsearch($var$)

Does anyone know of a way of using strings in variables as conditions?

Thanks and best regards,
Alex

somesoni2 · ‎04-22-2016

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

View solution in original post

somesoni2 · ‎04-22-2016

Try these

Using macro

eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`

Using subsearch (will require to remove "token prefix: job=" from text box)

eventtype=my_eventtype [| gentimes start=-1 |  eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search

alekksi · ‎04-22-2016

Thanks for your suggestions!

Unfortunately the top example using a macro doesn't work -- that literally searches the string "jobsearch"

Gives me an error:
Error in 'rex' command: Invalid argument: '('

PS: How do I use that codeblock you've used? I'm not sure what the markup is for it and the code html tag is awful.

somesoni2 · ‎04-22-2016

The bottom search for your full search would be like this

eventtype=my_eventtype source="*logfile.log" | rex "[Tt]he job '(?<job>[^']+)'" | search [ | gentimes start=-1 | eval job="email alerts" | makemv job | mvexpand job | table job ] | transaction host job session startswith="Started running the job" endswith="has succeeded" | table _time session job duration

To use code block, either use the '101010' type button above the text area OR add 4 spaces at the start of the line.

alekksi · ‎04-25-2016

Mate, you're a lifesaver on both counts. Thank you very much!

Search/Macro using a variable as a condition

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases