Can I have arrays or indexed variables in an app's...

neiljpeterson · ‎03-28-2014

This is probably a dumb question.... but I have researched it from various angles and cannot find what I am looking for exactly.

How can I store an arbitrary number of variables that will be persistent and can be accessed by all the dashboards in an app?

In my case, this will be a list of servers that the app needs to search and I would like to be able to set these values once and know that any existing or new dashboards will be able to search data from those hosts.

I am imagining something like: $servers = [host1, host2, host3] etc... and my searches can written like "host=$servers[0] OR host=$server[1] OR host=$server[2]..." up to whatever maximum number of servers I want to allow on my dashboards. Is such a thing possible?

( It would be even better if there was (or could be written) a macro that would make the number of elements searched for truly arbitrary such that I can define the variable and the boolean joiner... a la foobar($servers, "OR") and away we go... but one thing at a time )

I assume this will go in a myconf.conf or something similar? I could not find any reference of the datatypes or structures possible for the conf files, but perhaps I missed it.

Please point me in the right direction! Thanks!

Ayn · ‎03-28-2014

I guess you could do this using lookups? Define a lookup in your app that holds the servers you're interested in, then use this lookup in your searches like this:

<yourbasesearch> [|inputlookup mylookup | fields host]

After the subsearch has run, this will expand to something like this:

<yourbasesearch> ((host="server1") OR (host="server2") OR (host="server3"))

Can I have arrays or indexed variables in an app's (or dashboard's) conf file?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk