Refine your search:

I want a form that will allow a user to "build" the appropriate "source" (or log file name) based on selecting various pieces of data.

So the fields will be like this:

Date Application Server

I want to then build a string to use in the search.

Trying to use eval but getting now where....

sourcetype=MySourceType | eval sourcelog=Date."-".Application."-".Server.".log" |search source=sourcelog

This always returns 0 results. If I leave out the search function, the sourcelog field is populated.

Once I can get this search to work, I can use it in the populatingsearch function of the form.

Ideas?

asked 13 Jul '11, 08:47

timmy13's gravatar image

timmy13
661212
accept rate: 0%


One Answer:

When comparing two fields you want to use the where command instead:

sourcetype=MySourceType | eval sourcelog=Date."-".Application."-".Server.".log" | where source=sourcelog
link

answered 13 Jul '11, 15:49

hazekamp's gravatar image

hazekamp
2.4k1219
accept rate: 38%

Great hazekamp, thanks for the help. That works, but I still have a problem.

Of course, when defining source=, I can use wild cards. However, when I place wildcards into sourcelog, and then use the where source=sourcelog command, it fails. seems the where doesn't like wildcards.

Ideas?

(14 Jul '11, 12:32) timmy13
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×373
×79
×12

Asked: 13 Jul '11, 08:47

Seen: 1,431 times

Last updated: 14 Jul '11, 12:32

Copyright © 2005-2014 Splunk Inc. All rights reserved.