Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search with a Variable

JuanAntunes
Explorer
‎04-29-2021 03:06 PM

Hi Team How are u?

I have a little question

I have a index with same informations, 

 

 

index="epo" source="endpoint"

 

 

In this search will return a column with "JustificationText", Which contains a ticket number

JuanAntunes_0-1619733392680.png

 

And with this number I need to search in another index to get some information

 

Today i'm doing this way:

 

 

 

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval TicketNumber = number
| dedup ViolationLocalTime IncindetId
| join type=left
     [search index=servicenow sourcetype="snow:service_task" dv_number = TicketNumber]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

 

 


All the data from the first serach is coming ok but when I do a second search with the variable "TicketNumber" nothing returns to me.

If i for example, put a ticket in 

 

 

| join type=left
     [search index=servicenow sourcetype="snow:service_task" dv_number = "REQ0000197"]

 

 

Data are brought, but the same for all events

My question is how can I do this second search using a variable?

Thanks in advance! 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2021 03:48 PM

You could try something like this - join with a common field name  e.g. dv_number instead of TicketNumber

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = number
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location
Reply

JuanAntunes
Explorer
‎04-30-2021 03:19 AM

Hi @ITWhisperer  Thanks you for reply 

But running the query the way you told me still doesn't return anything

 

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = number
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

 


in the events that are found the tickets, we should have the columns of the NOW table, but it is always blank

JuanAntunes_1-1619777932449.png

 

Any other suggestions? Thank you very much!

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-30-2021 04:35 AM

I can't see any reason why it would not work. Can you try a different way of forcing the join to return the same ticket for all events?

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = "REQ0000197"
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...