Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search with a Variable

JuanAntunes
Explorer
‎04-29-2021 03:06 PM

Hi Team How are u?

I have a little question

I have a index with same informations, 

 

 

index="epo" source="endpoint"

 

 

In this search will return a column with "JustificationText", Which contains a ticket number

JuanAntunes_0-1619733392680.png

 

And with this number I need to search in another index to get some information

 

Today i'm doing this way:

 

 

 

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval TicketNumber = number
| dedup ViolationLocalTime IncindetId
| join type=left
     [search index=servicenow sourcetype="snow:service_task" dv_number = TicketNumber]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

 

 


All the data from the first serach is coming ok but when I do a second search with the variable "TicketNumber" nothing returns to me.

If i for example, put a ticket in 

 

 

| join type=left
     [search index=servicenow sourcetype="snow:service_task" dv_number = "REQ0000197"]

 

 

Data are brought, but the same for all events

My question is how can I do this second search using a variable?

Thanks in advance! 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2021 03:48 PM

You could try something like this - join with a common field name  e.g. dv_number instead of TicketNumber

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = number
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location
Reply

JuanAntunes
Explorer
‎04-30-2021 03:19 AM

Hi @ITWhisperer  Thanks you for reply 

But running the query the way you told me still doesn't return anything

 

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = number
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location

 


in the events that are found the tickets, we should have the columns of the NOW table, but it is always blank

JuanAntunes_1-1619777932449.png

 

Any other suggestions? Thank you very much!

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-30-2021 04:35 AM

I can't see any reason why it would not work. Can you try a different way of forcing the join to return the same ticket for all events?

index="epo" source="endpoint"​
| rex field="JustificationText" "(?<number>REQ\d{7}|<number>INC\d{7}|<number>TRE\d{7}|<number>CHG\d{7})"
| eval dv_number = "REQ0000197"
| dedup ViolationLocalTime IncindetId
| join type=left dv_number 
     [search index=servicenow sourcetype="snow:service_task" ]
| table Status ViolationLocalTime IncidentId UserName Name JustificationText TotalContentSize RulesToDisplay contact_type dv_u_requested_by dv_location
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...