Splunk Search

search using a variable as condition

snemiro_514
Path Finder

Hola Splunkers,

I want to consolidate two dynamic drilldowns in a table. Each drilldown is passing the same token $token$, and my table should display the relevant events (all the events come from the same source)

I'm trying to keep things simple, and I'm very close to make it work.

My 1st problem is: I coudn't find a simple way to verify is the $token$ has a default value or has a "legal" value. (isnull ie)

So, I've decided to use the same variable for both graphs....$type_tok$, which leads to my 2nd problem. I cannot execute a search with a condition in a variable.

From the graph#1, the values in the token are: "SUCCESS", "ERROR", "UNDEF". (A value in the field Response)
From the graph #2, the values are: A01, D03, F05 (always number in the 2nd position) (A value in the field Result)

So I'm trying to distinguish between the two sources, checking if the 2nd character in the token is a number, so in my table, Im trying something like:

...| eval condition=if(isint(substr($type_tok$,2,1)), "Response=$type_tok$", "Result=$type_tok$")| search condition | table _time, Id, error, Type, EndTime

But of course, it doesn't work. The eval fails, and the search never works.

I tried a simple search with a variable with and without $, but I couldn't make it work.
... | eval test="Respons=SUCCESS" | search $test$

I know it is possible to trigger saved search, but I prefer not to do it.

Any advice?

0 Karma

nekbote
Path Finder

Was this ever resolved...is there a solution?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can move your if() expression into an eval-based macro and use that in your main search:

some key words `your_if_macro("$type_tok$")` | table ...

The macro is evaluated once before the search runs, and the string returned by the if() expression is inserted into the search string. Hence you can calculate both the field name and field value you're filtering for!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

case() will work in eval-based macros as well.

0 Karma

nekbote
Path Finder

Thanks Martin!!

0 Karma

nekbote
Path Finder

Hi Martin,

thank you for the response, in my case i needed to use case as i have more than 4 conditions to look at and then determine the value. However i was able to get around it using

....| where eval xyz=Case()| table...

thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...