The \`notable\` macro returns a field drilldown_search with the variables $user$ and $dest" embedded in it.
I would like to make use of this elsewhere and replace $user$ and $dest$ will the values of those fields respectively.
Is there a simple way in SPL to tell Splunk to substitute $var$ for var?
The best I have come up with is:
\`notable\`
| eval drilldown_search = if(like(drilldown_search,"%$user$%"), replace(drilldown_search,"\$user\$", user), drilldown_search)
| eval drilldown_search = if(like(drilldown_search,"%$dest$%"), replace(drilldown_search,"\$dest\$", dest), drilldown_search)
This seems a bit convoluted and I need a statement for each $var$.
Also I found if I do not use the if(like(... then replace returns drilldown_search as null if it does not match.
Is there a better way of doing this?
↧