Using variables with IN and LIKE functions

drezanka · ‎01-19-2022

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table.

I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like:

Searches that should be enabled(fieldname searches): apple tart,blueberry pie,carrot cake,cupcake

Search found to be disabled(fieldname disabled): carrot cake

I would like to do something like:

eval failed=if(in(disabled,searches),"Failed","Passed")

where disabled in(searches)

or, search disabled IN searches

However, none of these approaches have worked. Any advice? Thanks in advance.

ITWhisperer · ‎01-19-2022

Have you tried it the other way around

| eval failed=if(len(disabled)>0 AND match(searches,disabled),"Failed","Passed")

drezanka · ‎01-19-2022

It's really a chicken and egg problem. I am trying to use the result of an outer search in an inner search. Working on alternatives.

drezanka · ‎01-19-2022

I was able to use split() to compare two variables rather than having to have a distinct list defined. Solved

ITWhisperer · ‎01-19-2022

Inner searches are executed before outer searches so this is unlikely to work! Try finding a way to invert the searches

Using variables with IN and LIKE functions

fields

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life