Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using variables with IN and LIKE functions

drezanka
Explorer
‎01-19-2022 09:58 AM

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table.

I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like:

Searches that should be enabled(fieldname searches):  apple tart,blueberry pie,carrot cake,cupcake

Search found to be disabled(fieldname disabled): carrot cake

I would like to do something like:

eval failed=if(in(disabled,searches),"Failed","Passed")

where disabled in(searches)

or,  search disabled IN searches

However, none of these approaches have worked. Any advice? Thanks in advance.

 

 

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 10:59 AM

Have you tried it the other way around

| eval failed=if(len(disabled)>0 AND match(searches,disabled),"Failed","Passed")
0 Karma
Reply

drezanka
Explorer
‎01-19-2022 12:03 PM

It's really a chicken and egg problem. I am trying to use the result of an outer search in an inner search. Working on alternatives.

0 Karma
Reply

drezanka
Explorer
‎01-19-2022 02:12 PM

I was able to use split() to compare two variables rather than having to have a distinct list defined. Solved

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 01:33 PM

Inner searches are executed before outer searches so this is unlikely to work! Try finding a way to invert the searches

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...
Top