Solved: dropdown and conditional field value based search

cfbridgewater · ‎06-24-2014

i have view that i want to use to filter hosts by development tier (QA, STAGE, PROD).

The drop down is configured as such:

PROD
STAGE
DEV
PROD

The source field has different values based on environment:

PRD: source= /prd/logname.log
STAGE: source= /data/stage/logs/logname.log
DEV: source= /home/qa_env_host/logging/logname.log

I want to display results only for the relevant hosts in each tier ... so i think the right way to go is either via IF or CASE, but i'm not sure how to filter my search based on $env$ and the source field.

i'm new to more complex searching in splunk and would appreciate guidance on the right way to do this.

davby · ‎06-25-2014

Note that you've specified different values for the source field in your question and in your comments. My answer is based on the values you've listed in your second comment; adjust them as needed for the real search.

If you change the values of the choices to be the values you want for the source field, e.g.:

<choice value="/prd/">STAGE</choice>

then the following search should work:

index="" sourcetype="delorean-jvmgc" source="$env$"

Alternately, add the following prefix and suffix to the input:

  <prefix>source="</prefix>
  <suffix>"</suffix>

and simply search for:

index="" sourcetype="delorean-jvmgc" $env$

If you need to retain the original values, you could use a subsearch with your original definition (taking the source values from your second comment):

index="" sourcetype="delorean-jvmgc" [
    | gentimes start=-1
    | eval source=case("$env$" == "Dept.ProdDC.PROD", "/prd/", 
                       "$env$" == "Dept.STAGEDC.STAGE", "/data/stage/",
                       "$env$" == "Dept.DEVDC.DEV", "/home/*")
    | fields source
    ]

View solution in original post

cfbridgewater · ‎06-25-2014

that worked like a charm. one slight edit is that index="*". i'd like to better understand the usage of the | fields source. is that what pipes the results of the search within the brackets to the field source?

davby · ‎06-25-2014

Note that you've specified different values for the source field in your question and in your comments. My answer is based on the values you've listed in your second comment; adjust them as needed for the real search.

If you change the values of the choices to be the values you want for the source field, e.g.:

<choice value="/prd/">STAGE</choice>

then the following search should work:

index="" sourcetype="delorean-jvmgc" source="$env$"

Alternately, add the following prefix and suffix to the input:

  <prefix>source="</prefix>
  <suffix>"</suffix>

and simply search for:

index="" sourcetype="delorean-jvmgc" $env$

If you need to retain the original values, you could use a subsearch with your original definition (taking the source values from your second comment):

index="" sourcetype="delorean-jvmgc" [
    | gentimes start=-1
    | eval source=case("$env$" == "Dept.ProdDC.PROD", "/prd/", 
                       "$env$" == "Dept.STAGEDC.STAGE", "/data/stage/",
                       "$env$" == "Dept.DEVDC.DEV", "/home/*")
    | fields source
    ]

Wendy · ‎08-07-2021

I came across this answer with a similar situation to solve.

Situation:

I created a dropdown with different deployment environments as values, source code like below:

<input type="dropdown" token="deploy_env" searchWhenChanged="true">
<label>Deployment Environment</label>
<choice value="nonprod">Non Production</choice>
<choice value="prod">Production</choice>
<default>nonprod</default>
</input>

I need to query below, namely to have space_name and app_name value depend on $delpy_env$:

index=$deploy_env$ org_name="my_org_name" space_name="spacename_based_on_$deploy_env$" app_name="appname_based_on_$deploy_env$" message_type=OUT | search "Qr Pdf sent to" | stats count

Based on answers from this topic, I came up with below solution:

index=$deploy_env$org_name="my_org_name" message_type=OUT
| eval space_name=case("$deploy_env$" == "nonprod", "spacename-dev", "$deploy_env$" == "spacename-prod", "prod")
| eval app_name=case("$deploy_env$" == "nonprod", "serviceappname-dev", "$deploy_env$" == "prod", "serviceappname-prod")
| search "Qr Pdf sent to" | stats Count

Could anyone check if the solution is correct please and if there are better ways to solve this issue? Thank you.

davby · ‎06-25-2014

If you are searching every index, you can drop index="*" entirely.

Brackets indicate a subsearch. The subsearch generates terms that are inserted into the outer search. You can see exactly what terms by running the subsearch alone (no brackets), and appending "| format" to the end. Look for the "search" column in the results.

There's more to it than that, of course. Section "Group and Correlate Events" in the search manual has more details.

cfbridgewater · ‎06-25-2014

that worked like a charm. one slight edit is that index="*". i'd like to better understand the usage of the | fields source. is that what pipes the results of the search within the brackets to the field source?

somesoni2 · ‎06-24-2014

Are the source value static (have only 3 possible values as mentioned in the question?

cfbridgewater · ‎06-24-2014

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/*")

cfbridgewater · ‎06-24-2014

i've tried the following, but this only overwrites my source ... and the processing comes after the actual indexing of the results (right?):

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/")

dropdown and conditional field value based search

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!