cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Filomenka
Explorer
Member since: ‎07-13-2020
‎07-15-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎07-13-2020
Activity Feed
View All

Re: Define & use variable in same search

by in Splunk Search
‎07-15-2020 06:41 AM
‎07-15-2020 06:41 AM
Thank you rich, you are a lifesaver! 🙂 Works like a charm... If anybody else is reading this, this is the solution that worked for me (this can be used as a template): <form theme="dark"> <label>debug-dashboard-beta</label> <description>closeml debug</description> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time"> <label>Time range</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Customer"> <label>Customer</label> <choice value="*">ALL</choice> <choice value="abc">ABC</choice> <choice value="123">123</choice> <choice value="xyz">XYZ</choice> </input> <input type="dropdown" token="Environment"> <label>Environment</label> <choice value="*">ALL</choice> <choice value="prod">prod</choice> <choice value="acc">acc</choice> <choice value="test">test</choice> <choice value="dev">dev</choice> </input> <input type="dropdown" token="Label"> <label>Label</label> <selectFirstChoice>true</selectFirstChoice> <choice value="">No label</choice> <choice value="b">b</choice> <choice value="c">c</choice> </input> <input type="text" token="custom_search"> <label>Custom search</label> <default>"0200 error" OR "0200 severe"</default> </input> </fieldset> <row> <panel> <event> <search> <query>index="$Customer$-closeml$Label$-$Environment$" OR index="$Customer$-close-rest-api$Label$-$Environment$" OR index="$Customer$-close-communication-service$Label$-$Environment$" OR index="$Customer$-transfer-service$Label$-$Environment$" OR index="$Customer$-close-document-service$Label$-$Environment$" OR index="$Customer$-closeml-dsf$Label$-$Environment$" OR index="$Customer$-close-document-generator$Label$-$Environment$" OR index="$Customer$-closeml-loan-service$Label$-$Environment$" OR index="$Customer$-calculation-service$Label$-$Environment$" $custom_search$</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="count">20</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="maxLines">5</option> <option name="raw.drilldown">full</option> <option name="rowNumbers">0</option> <option name="table.drilldown">all</option> <option name="table.sortDirection">asc</option> <option name="table.wrap">1</option> <option name="type">list</option> </event> </panel> </row> </form>   ... View more

Re: Define & use variable in same search

by in Splunk Search
‎07-14-2020 10:39 PM
‎07-14-2020 10:39 PM
As mentioned I already have dashboards in place with the needed filters: Trying to think this through - can I add a "custom field" (type string) which would be used as an additional filter (in the screenshot)? This way I could achieve the same thing you mentioned (dashboard with selectors) + the custom field & it would solve the issue. BTW Thank you for your time & effort @richgalloway , I really appreciate it. ... View more

Re: Define & use variable in same search

by in Splunk Search
‎07-14-2020 02:17 AM
‎07-14-2020 02:17 AM
Well, that is unfortunate, since the variable part would solve this issue. We have x-customers, y-applications per customer & 3-6 environments per customer. Indexes share the same naming convention: index=<$customer>-<$app01>-<$environment> We have 10+ applications, 3-6 environments per customer & every search is a hard-coded index with customer-app-evironment. We have a dashboard per customer created with specific searches but for ad-hoc debugging this is my personal go-to (splunk search) for filtering interesting data. The reason for this post was to create an "ultimate one-line" search, where only 2 parts of the data would change (input for the search => variable). I am not sure this is the right approach, but it definitely looks like the easiest. ... View more

Define & use variable in same search

by in Splunk Search
‎07-13-2020 07:17 AM
‎07-13-2020 07:17 AM
Hello, fellow splunkers! I am trying to find a search string where I could define a variable & then use it in the same search. Example:     var1=some_value; var2=some_value; | index="$var1-app01-$var2" OR index="$var1-app02-$var2" OR index="$var1-app03-$var2" "error" OR "severe"     Our current Splunk setup has too many indexes per customer/environment & this little feature would help a lot with unifying the searches. I tried to browse the web/this forum and unfortunately did not find this or a similar issue. Any help is appreciated, thank you! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-15-2020 10:35 AM
Karma given to
View All