I have a set of rules in one of my sourcetypes:
Rule Expr Value
Rule0 <0 Value0
Rule1 =1 Value1
...
Rule5 >=5 Value5
As long as field Expr is a mathematical expression, I want to incorporate it as a part of a search:
sourcetype="Logs" | ... | sourcetype="Rules" Rule=<calculated> | where LogError <Expr goes here>
i.e. to substitute the part of the query with the field value.
So after substitution I would have (say, Rule5 was hit):
sourcetype="Logs" | ... | sourcetype="Rules" Rule="Rule5" | where LogError >= 5 | table Value
but ">= 5" is dynamically formatted based on search results, not hardcoded in the query text.
I guess there could be some sort of search string formatting, but didn't find anything except "map" command. However, I'm not really sure how to use map here.
How is that possible to do such substitution?
Is there any well-known Splunk command or practice?
... View more