Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using variables with IN and LIKE functions

drezanka
Explorer
‎01-19-2022 09:58 AM

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table.

I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like:

Searches that should be enabled(fieldname searches):  apple tart,blueberry pie,carrot cake,cupcake

Search found to be disabled(fieldname disabled): carrot cake

I would like to do something like:

eval failed=if(in(disabled,searches),"Failed","Passed")

where disabled in(searches)

or,  search disabled IN searches

However, none of these approaches have worked. Any advice? Thanks in advance.

 

 

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 10:59 AM

Have you tried it the other way around

| eval failed=if(len(disabled)>0 AND match(searches,disabled),"Failed","Passed")
0 Karma
Reply

drezanka
Explorer
‎01-19-2022 12:03 PM

It's really a chicken and egg problem. I am trying to use the result of an outer search in an inner search. Working on alternatives.

0 Karma
Reply

drezanka
Explorer
‎01-19-2022 02:12 PM

I was able to use split() to compare two variables rather than having to have a distinct list defined. Solved

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 01:33 PM

Inner searches are executed before outer searches so this is unlikely to work! Try finding a way to invert the searches

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...