Splunk Search

splunk search statement using keyword from input box text string

mia
Explorer

the large size logs like as below

it's not a regular json data, therefore need to using rex to get fields

A logs have name and uid

B and C logs have uid and oid

the dashboard accept input name, it allow multiple name with comma

then using the name to find the uid and figure out the related uid and oid data from B logs and exclude from c logs

so, I don't know how to 

1. in a search statement substitute using the value of users be a keyword

2. combine the field data with comma for using  function search data in (...) 

 

Thanks.

--

for example:

A logs:
... x1 ...uid=123...
... y2 ...uid=456...
... z3 ...uid=789...

B logs:
.... oid=989 ...uid=123 ...
.... oid=566 ...uid=456 ...
.... oid=486 ...uid=789 ...

C logs:
...cancel_order... oid=989 ...uid=123 ...
...cancel_order... oid=566 ...uid=456 ...
...cancel_order... oid=486 ...uid=789 ...

a dashboard has a input box text: users, and user can input multiple users with comma
the value of users will be like "x1,z3"

I wont to put the value in a search statement
such us

| makeresults
| eval users="x1,z3"

| eval names=replace(users, ",", " OR ")    =>excepted result: x1 OR z3
| search source="alog" $names$     => Substitute the names value into keyword
| rex "name=(?<name>\S+)"
| rex "uid=(?<uid>\d+)"
| table name,uid
| join type=left max=0 uid
[
source="blog" 
| rex "uid=(?<uid>\d+)"
| rex "oid=(?<oid>\d+)"
| search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789)
| table uid,oid
]
| join type=left max=0 oid
[
source="clog" cancel_order
| rex "uid=(?<uid>\d+)"
| rex "oid=(?<oid>\d+)"
| search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789)
| table uid,oid,status
]
| where isnull(status)
| stats count(oid) by name

Labels (1)
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...