Hello Everyone, I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , ind...
See more...
Hello Everyone, I have following splunk query, which I am trying to build for dropdown in dashboard. Basically 2 dropdowns, the 1st dropdown has got static value which is index names: index_1 , index_2 , index_3 Based on the selected index, I am trying to run the splunk query: index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| search hostname= hostname_pattern the search always return empty. However if I run the direct query for index_1 or index_2 with its relevant hostname, it works and returns me results index="index_1"
| search hostname= "*-hostname_1" For the sake of checking if my condition is working or not, I fed the output of eval case into table. And checked by passing relevant indexes (index_1 or index_2) index="index_1"
| eval hostname_pattern=case(
index == "index_1","*-hostname_1",
index == "index_2","*-hostname_2"
)
| stats count by hostname_pattern | table hostname_pattern | sort hostname_pattern returns *-hostname_1 Not sure how do we pass the hostname value based on selected index for search. Highly appreciate your help.