Splunk Search
Highlighted

dropdown and conditional field value based search

New Member

i have view that i want to use to filter hosts by development tier (QA, STAGE, PROD).

The drop down is configured as such:



PROD
STAGE
DEV
PROD

The source field has different values based on environment:

PRD: source= /prd/logname.log
STAGE: source= /data/stage/logs/logname.log
DEV: source= /home/qaenvhost/logging/logname.log

I want to display results only for the relevant hosts in each tier ... so i think the right way to go is either via IF or CASE, but i'm not sure how to filter my search based on $env$ and the source field.

i'm new to more complex searching in splunk and would appreciate guidance on the right way to do this.

Tags (4)
0 Karma
Highlighted

Re: dropdown and conditional field value based search

New Member

i've tried the following, but this only overwrites my source ... and the processing comes after the actual indexing of the results (right?):

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/")

0 Karma
Highlighted

Re: dropdown and conditional field value based search

New Member

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/*")

0 Karma
Highlighted

Re: dropdown and conditional field value based search

SplunkTrust
SplunkTrust

Are the source value static (have only 3 possible values as mentioned in the question?

0 Karma
Highlighted

Re: dropdown and conditional field value based search

Explorer

Note that you've specified different values for the source field in your question and in your comments. My answer is based on the values you've listed in your second comment; adjust them as needed for the real search.

If you change the values of the choices to be the values you want for the source field, e.g.:

<choice value="/prd/">STAGE</choice>

then the following search should work:

index="" sourcetype="delorean-jvmgc" source="$env$"

Alternately, add the following prefix and suffix to the input:

  <prefix>source="</prefix>
  <suffix>"</suffix>

and simply search for:

index="" sourcetype="delorean-jvmgc" $env$

If you need to retain the original values, you could use a subsearch with your original definition (taking the source values from your second comment):

index="" sourcetype="delorean-jvmgc" [
    | gentimes start=-1
    | eval source=case("$env$" == "Dept.ProdDC.PROD", "/prd/", 
                       "$env$" == "Dept.STAGEDC.STAGE", "/data/stage/",
                       "$env$" == "Dept.DEVDC.DEV", "/home/*")
    | fields source
    ]

View solution in original post

Highlighted

Re: dropdown and conditional field value based search

New Member

that worked like a charm. one slight edit is that index="*". i'd like to better understand the usage of the | fields source. is that what pipes the results of the search within the brackets to the field source?

0 Karma
Highlighted

Re: dropdown and conditional field value based search

Explorer

If you are searching every index, you can drop index="*" entirely.

Brackets indicate a subsearch. The subsearch generates terms that are inserted into the outer search. You can see exactly what terms by running the subsearch alone (no brackets), and appending "| format" to the end. Look for the "search" column in the results.

There's more to it than that, of course. Section "Group and Correlate Events" in the search manual has more details.

0 Karma
Highlighted

Re: dropdown and conditional field value based search

New Member

that worked like a charm. one slight edit is that index="*". i'd like to better understand the usage of the | fields source. is that what pipes the results of the search within the brackets to the field source?

0 Karma