Splunk Search

Using variables with IN and LIKE functions

drezanka
Explorer

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table.

I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like:

Searches that should be enabled(fieldname searches):  apple tart,blueberry pie,carrot cake,cupcake

Search found to be disabled(fieldname disabled): carrot cake

I would like to do something like:

eval failed=if(in(disabled,searches),"Failed","Passed")

where disabled in(searches)

or,  search disabled IN searches

However, none of these approaches have worked. Any advice? Thanks in advance.

 

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried it the other way around

| eval failed=if(len(disabled)>0 AND match(searches,disabled),"Failed","Passed")
0 Karma

drezanka
Explorer

It's really a chicken and egg problem. I am trying to use the result of an outer search in an inner search. Working on alternatives.

0 Karma

drezanka
Explorer

I was able to use split() to compare two variables rather than having to have a distinct list defined. Solved

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Inner searches are executed before outer searches so this is unlikely to work! Try finding a way to invert the searches

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...