Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Search/Macro using a variable as a condition

$
0
0
Hi all, I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible. Textbox details on the dashboard: token: jobname default: \* token prefix: job= Example input: "string1 string2 string3" I then put this through an eval to get a search condition to run: eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") This will mean that the variable jobsearch will be: "job=string1 OR job=string2 OR job=string3" How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query): | search $jobsearch$ which doesn't work / returns nothing. The other way that seemed promising was using macros. [stringsearch(1)] args=sstring definition = search $sstring$ Which doesn't seem to work either, using these examples: This works: eventtype=my_eventtype | `stringsearch(mystringtosearch)` This doesn't: eventtype=my_eventtype | eval var="mystringtosearch" | `stringsearch($var$)` Does anyone know of a way of using strings in variables as conditions? Thanks and best regards, Alex

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>