Splunk Search

Using variables with IN and LIKE functions

drezanka
Explorer

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table.

I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like:

Searches that should be enabled(fieldname searches):  apple tart,blueberry pie,carrot cake,cupcake

Search found to be disabled(fieldname disabled): carrot cake

I would like to do something like:

eval failed=if(in(disabled,searches),"Failed","Passed")

where disabled in(searches)

or,  search disabled IN searches

However, none of these approaches have worked. Any advice? Thanks in advance.

 

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried it the other way around

| eval failed=if(len(disabled)>0 AND match(searches,disabled),"Failed","Passed")
0 Karma

drezanka
Explorer

It's really a chicken and egg problem. I am trying to use the result of an outer search in an inner search. Working on alternatives.

0 Karma

drezanka
Explorer

I was able to use split() to compare two variables rather than having to have a distinct list defined. Solved

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Inner searches are executed before outer searches so this is unlikely to work! Try finding a way to invert the searches

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...